If you run engineering, security, or product for an Australian bank, telco, or digital platform, your calendar for the second half of 2026 is already written for you. The Scams Prevention Framework Act 2025 commenced on 21 February 2025 and the first sector designations, banks, telecommunications providers, and a slice of digital platforms, are targeting effect from 1 July 2026. That is about ten weeks away at time of writing.
The Framework is, fairly, described as the world’s toughest anti-scam regime. Fines reach AUD $50 million per contravention. The Competition and Consumer Act 2010 has been amended to host it. The ACCC is the general regulator, ASIC oversees banks, and ACMA oversees telcos, so you are not going to outrun three of the busiest enforcement bodies in the country.
This piece is written for technology leaders rather than lawyers. The legal explainers covering the Act are excellent, Gilbert + Tobin, Corrs Chambers Westgarth, Jones Day, Bird & Bird, and I link them for when you need the clause-by-clause read. What I cover here is different: what the SPF actually forces engineering and AI teams to build, where the ambiguity is, and what I would be doing this quarter if I still sat on an Australian bank’s or telco’s executive team.
What the Framework actually is, in one page
The SPF sits on top of designated sectors via a three-layer structure.
Layer 1, SPF Principles. Six overarching obligations that apply to every regulated entity regardless of sector: govern (have a senior-accountable scams-prevention regime), prevent (stop scams reaching consumers), detect (spot them while they’re happening), disrupt (stop them mid-flight), respond (handle reports, compensate where obligations are breached), and report (to regulators and consumers). The Treasury overview lays these out.
Layer 2, SPF Codes. Sector-specific obligations with teeth. A bank’s code will look different from a telco’s code which will look different from a social platform’s code, because the scam surface is different. Codes are being developed via consultation, with drafts progressing through 2025 and 2026.
Layer 3, Rules and governance obligations. Additional binding instruments the Minister may make, think “this is how you actually report under the Act”.
Designated first: banks (ADI sector), telcos (carriers and CSPs), and digital platforms, initially social media, instant messaging, and search engines. Superannuation and crypto-asset exchanges are flagged as likely next. If your organisation is adjacent to any of these, assume you will be in scope within 24 months and plan accordingly.
The critical thing to internalise: this is not a data-protection law, not an AML uplift, not a cyber-resilience regulation. Scams is its own category. Your existing APRA CPS 230, Privacy Act, SOCI, and ISO 27001 programs will share controls with SPF compliance, but they do not satisfy SPF. Treat it as a distinct program with a distinct risk register.
Penalties and pathways
Up to $50 million per contravention for the worst breaches, or three times the benefit obtained, or 30% of adjusted turnover during the breach period, whichever is greater. These are the headline civil-penalty tiers. Below that sit a cascade of regulator powers: enforceable undertakings, injunctions, representative damages actions, public warning notices, remedial directions, and adverse-publicity orders.
The piece most tech leaders underprice is the private compensation pathway. Consumers who suffer losses because a regulated entity breached the Framework have a direct route to compensation. In banking, that path runs through AFCA as the external dispute resolution body; banks must be AFCA members for scam disputes by 1 September 2026. Expect a wave of claims in the second half of 2026 as the rules bite and lawyers find the first favourable determinations.
What this means for engineering teams
Here is where the press releases stop and the real work starts. Translate the Principles into system-level requirements and you get a specific list of capabilities you almost certainly do not fully have today.
For banks
Confirmation of Payee. The SPF effectively codifies what the UK has run since 2020. Before a customer sends money, the system checks the name on the destination account matches what the payer typed. Partial match, no match, and close-call cases all need distinct UX treatments, because the false-positive rate when a customer types “Jon Smith” to pay “Jonathan Smith” is where the litigation lives. If you are not already running a Confirmation-of-Payee proof-of-concept, you are late.
Real-time scam-pattern detection on outbound payments. Behaviourally-distinct payments, new payee, unusual amount, device signals off, session behaviour matching a social-engineering transcript, must trigger friction. “Friction” means a pause, a warning, a cooling-off window, or a human call-out, depending on risk score. Vendors have arrived; the engineering work is in integrating them without destroying payment latency and without flooding your contact centre.
Mule detection on inbound. Scam money doesn’t stay in one account. Your AML transaction-monitoring stack and your scams-detection stack have to share signals or you will miss the laundering leg.
Case-management and reporting. Every scam report, every investigation, every outcome has to be logged against a case, with an audit trail that survives ASIC scrutiny. Most banks have a working case system for fraud; the SPF reporting taxonomy is likely to be more granular.
Customer compensation workflows. When you breach, and you will breach, the compensation path has to be fast and auditable. Slow compensation will be the single most common reason regulators throw adverse-publicity orders.
For telcos
Scam number detection at the network level. SMS with spoofed sender IDs impersonating banks and government agencies is the single worst consumer-facing vector in Australia. The SPF Code for telcos will almost certainly require detection and blocking at the network layer, not just customer-facing reporting tools. ACMA’s existing scam code is the starting floor, not the ceiling.
Sender ID registries. Work with the SMS Sender ID Registry to ensure legitimate brands are protected and unregistered impersonators are blocked. Mature compliance looks like every outbound business SMS through your network being sender-ID-verified, not default-pass.
Call-path disruption. International-origin calls spoofing Australian caller IDs get blocked at the gateway. STIR/SHAKEN-equivalent work is underway. Technology stack upgrades that have been “next year’s problem” for five years are now this year’s problem.
For digital platforms
Advertiser verification. Social platforms carrying financial and investment ads will need proof-of-identity on advertisers, not just credit-card-on-file. This is where the “verify advertisers” line in the ministerial media release becomes real: uploaded government ID, beneficial-owner disclosure, and continuous-monitoring obligations. Meta’s business verification flow is useful prior art; what’s proposed here is stricter.
Rapid takedown. When a scam ad is detected, by your systems, by a consumer report, or by an ASIC notification, the removal SLA is measured in hours, not days. Your trust-and-safety pipeline needs the ability to execute bulk takedowns across duplicates without a human in the loop for every decision.
Content-origin signals for AI-generated scam content. This is where the SPF intersects with deepfake and generative-AI scams. Impersonation ads using synthetic celebrity endorsements have exploded since 2023. The Framework doesn’t specify the controls, but a reasonable-steps defence will almost certainly require you to be investing in synthetic-content detection, not just reactive moderation.
The agentic-AI angle nobody is talking about yet
I spend a lot of my time helping teams ship AI agents and voice agents into customer journeys. If that’s you, the SPF is a cliff edge you need to see before you go over it.
Voice agents that initiate or facilitate payments are in scope. If your voice agent helps a customer authorise a bank transfer, “the AI did it” is not a defence. The bank is responsible for the payment pathway. Every SPF control a human-mediated channel carries, an AI-mediated channel carries too, and arguably more, because agentic systems can be prompt-injected into assisting a scammer.
Agents that create or promote content on designated platforms inherit platform obligations. If your business uses an autonomous agent to place ads, generate product listings, or run outbound-message campaigns on designated platforms, and that agent is compromised or manipulated into facilitating scams, the platform you operate on will push liability back to you via its terms. Build the audit trail now: what the agent said, on whose behalf, with what inputs, approved by which human.
Synthetic-voice spoofing is the next front. Voice agents make it trivial to clone a brand’s voice. The same technology makes it trivial for scammers to clone a bank’s or a government agency’s voice. The SPF’s “reasonable steps” test will, over the next 18 months, settle on an expectation that regulated entities deploy voice-liveness, watermarking, and caller-side verification. If you are building voice agents for banks, telcos, or government, treat anti-spoofing as a first-class requirement, not a nice-to-have.
AI governance and the SPF overlap, but don’t map cleanly. Running an agentic system under ISO 9001 for AI or an internal AI governance framework is good practice but won’t satisfy the SPF-specific obligations. Your governance artefacts need a scams-specific control set, which is why the senior-accountable-person model under the SPF Principles matters.
What to do this quarter
If you are inside a designated sector and 1 July 2026 is your target, here is the honest order of operations for the next ten weeks.
Week 1–2: scope and own the program. Appoint the senior-accountable person. Stand up a steering committee with legal, risk, tech, product, and operations. Map the Principles to existing controls and identify the true gap list. Resist the temptation to squash it into existing fraud workstreams; it will get buried.
Week 3–6: build the detect-disrupt-respond stack. For banks, this is Confirmation of Payee and the outbound-payment scam model. For telcos, it’s scam-number detection and sender-ID enforcement. For platforms, it’s advertiser verification and rapid-takedown SLAs. These are the controls that will either be in place by July or not; you cannot paper them over with policy.
Week 4–8 (parallel): reporting and case management. The consumer-facing scam-report pathway, the internal investigation workflow, the regulator-reporting pipes. These have to exist and be tested before any real scam hits the new regime.
Week 7–10: compensation readiness. AFCA dispute-handling (for banks), internal compensation decisioning, legal-hold procedures for contested cases. Nothing ruins a scams program faster than a slow compensation path that ends up in The Australian Financial Review.
Ongoing: evidence generation. Every design decision, every risk acceptance, every chosen technology vendor, every model threshold, document it. The test in enforcement is not “did you stop every scam” (impossible) but “did you take reasonable steps”. “Reasonable steps” is an evidence-backed defence, not a posture.
What smaller firms should do
If you are not in the first designated sector but you sell into it, a fintech embedded in a bank, a martech vendor plugging into social, a comms vendor selling to telcos, your customers are about to inherit SPF obligations that flow through to you via contract. Within the next quarter, expect:
- New control-attestation demands from bank and telco procurement.
- Revised data-processing agreements with scams-specific clauses.
- Audit-right clauses for regulator visibility.
- Liability apportionment changes where a scam transaction flows partly through your product.
Read every amendment before signing. One passive acceptance here can make your company’s risk profile worse overnight.
The bigger pattern
Australia has, for twenty years, lagged behind the EU and UK on consumer-protection law. The SPF reverses that. It is, to my knowledge, the first jurisdiction in the world to impose a combined, cross-sector, prevent-detect-disrupt-respond-report framework for scams, with real civil penalties. The UK’s Payment Systems Regulator has mandatory reimbursement; Singapore has a Shared Responsibility Framework for phishing; neither goes as far as what commenced here in February 2025.
That means two things. First, Australia is going to be the test jurisdiction where the compliance-engineering pattern is defined, and vendors, consultants, and ex-regulator advisors from Australia will export that IP globally over the next 5 years. Second, the entities that build the SPF stack well, who treat it as a real engineering program rather than a legal-ops check-box, will have a capability that generalises to every future scams-style regime in every future jurisdiction. Which is a decent consolation prize for the amount of work this is going to take.
Further reading
- Scams Prevention Framework Act 2025 (No. 15, 2025), Federal Register of Legislation
- Treasury, Scams Prevention Framework: Protecting Australians from scams (January 2025)
- ACCC media release, world-first scams prevention laws
- Gilbert + Tobin, The Scams Prevention Framework legislation passes Parliament
- Corrs Chambers Westgarth, key considerations for regulated entities
- Bird & Bird, explainer for Australia’s new Scam Prevention Framework
- Jones Day, Australia passes landmark scam prevention legislation
- Treasury Ministers, consulting on industry codes and rules
- HWL Ebsworth, AFCA’s new rules and the Scams Prevention Framework
- Original media release, Parliament passes world-leading scams prevention framework