top of page

Australian Scam Prevention Framework – Analysis of the November 2025 Treasury Consultancy

Australian banknotes in vibrant colors fan out beside text: "What the SPF Consultancy Clarifies – and What Remains Undefined" with a photo of a man.

In February 2025, the Australian Parliament approved the Scam Prevention Framework (SPF). This legislation basically says that banks, telecom providers and digital platforms (known as ‘businesses’) must have controls in place to prevent consumers scams and if these controls are not in place, the consumer may be eligible for reimbursement from the involved business(es) in the scam. Businesses can also be fined for not having defined controls in place. The controls will be based on the six SPF principles that are included in the SPF legislation:


  • Principle 1: Governance – Regulated entities must implement governance policies, procedures, metrics and targets for combatting scams.

  • Principle 2: Prevent – Regulated entities must take reasonable steps to prevent scams connected with, or using their regulated services.

  • Principle 3: Detect – Regulated entities must take reasonable steps to detect scams connected with, or using their regulated services, including investigating activities subject to actionable scam intelligence, and identifying consumers who have been or may be impacted by such activities.

  • Principle 4: Report – Regulated entities must provide the SPF general regulator with reports of actionable intelligence about activities relating to, connected with or using their regulated services, and give this regulator a report about a scam upon request.

  • Principle 5: Disrupt – Regulated entities must take reasonable steps to disrupt an activity subject to actionable scam activity, prevent losses from that activity, and report to the SPF general regulator about the outcomes of the entity’s investigation into that activity.

  • Principle 6: Respond – Regulated entities must have an accessible mechanism for consumers to report activities that may or may not be scams, have a transparent and accessible internal dispute resolution mechanism, and be a member of an authorised external dispute resolution scheme.


Diagram illustrating three sectors: Banks, Telecom Providers, and Digital Platforms. Features icons for each under a domed structure.

In November 2025, AFCA expanded the definition of banks to be considered as part of the scam reimbursement process to include both the sending and receiving bank. This change was initiated at the request of the then Assistant Treasurer Stephen Jones in early 2025.

In December 2025, the Australian Treasury confirmed that dating apps and online marketplaces are excluded under digital platforms and are not part of the SPF. 


This November 2025 Treasury consultancy, just released, is the next step in the process to make the SPF live and enforceable. It describes the responsibilities and controls for the businesses that are part of the SPF and provides information on the reimbursement process.


Executive Summary

In November 2025, the Australian Treasury released the long-awaited consultancy on the approved Scam Prevention Framework (SPF). This is in essence part 2 of the Framework process to go live. Part 1 was the actual legislation passing in February 2025. The legislation described the SPF in broad terms including the six principles of the SPF (described in the background section). This current consultancy adds the critical controls and provides explanation around reimbursement, if the controls are not compliant.  Other steps will take place in 2026.


The SPF involves banks, telecom providers and digital platforms (excluding dating apps and online marketplaces), called ‘businesses’ in the consultancy. The controls in the consultancy document, over 30+, are defined as 1) responsibilities for all businesses and 2) specific responsibilities for each of the three sectors.


The consultancy contains a good list of controls. Examples of some of the better controls are:

  1. Businesses must embed responsibility for scam prevention within their governance frameworks including strategic risk management and oversight.

  2. Business must identify and verify new users of regulated services.

  3. Banks must have systems in place to monitor all transactions for suspicious activity that might be a scam and identify actionable scam intelligence.

  4. Digital platforms must verify advertisers hold appropriate licences to advertise high-risk products, such as financial services and healthcare products.

  5. Telcos must have processes and systems in place to analyse traffic (calls and messages) for patterns or indicators of a scam. 

  6. One challenge with some of the controls and language about the controls is that it may be difficult to determine if the business is actually compliant with the control. 


Here are some examples of language that could make it difficult to assess compliance:

  1. "Reasonable steps involve businesses taking genuine, proactive and proportionate actions to reduce scam activity on their platforms or services. These actions should reflect the size of the business, its operational complexity and exposure to scam-related threats.”

  2. “Larger businesses or those facing higher scam risks may be expected to go beyond minimum requirements to meet their obligations under the SPF.“

  3. “Sector codes will serve as the primary factor for assessing whether a business has taken reasonable steps. Other relevant factors include the size of the business and the kind of service involved in the scam”

  4. So, it is possible that based on the size of the business, the control could be different for two similar businesses and yet still compliant.


The consultancy contains the key dates for deployment of the SPF. See Chart 1 for the key dates from the official Treasury document


Chart 1- Key SPF Dates

Timeline for implementation from Nov 2025 to Q4 2027. Includes public consultation, rule development, AFCA deadlines, and Intel sharing.
Source: Australian Treasury

The consultancy also contains information on how reimbursement will work.  This section is most important for consumer non-profits that have advocated for scam reimbursement.  Banks, telecom providers and digital platforms must be compliant with the required controls.  If the businesses are not compliant, they are:

  1. Liable for scam reimbursement.

  2. Subject to fines up to AUS $ 50 million or 30% of the adjusted turnover (revenue).


There are still too many holes in the reimbursement process.  In the final ‘to be written’ version on the reimbursement process, this section will need more specifics in order for the reimbursement process to be complete and functional in 2026.  Three examples of weakness in the consultancy document are:

  1. The involved ‘business’ is defined as the entity to provide the compliance certification.  There could be potentially a level of bias in providing this certification by the same business liable for reimbursement.  Plus, there is no mention of redress by the victim to challenge the compliance certification.

  2. Although the SPF goes live on July 1 2026, the External Dispute Resolution (EDR) does not go live until 6 months later.

  3. Receiving banks are now included in the reimbursement mix, but there is not enough discussion on how this will really be part of the reimbursement.  And remember, the victim is a customer of the sending bank, not the receiving bank.  It may be that since receiving banks are new to the mix, Treasury has not completed the explanation of how receiving banks will interface with the victim and the other businesses.


Several consumer non-profits have expressed their concerns about the SPF, given the approaches defined in the Consultancy documents.  Stephanie Tonkin, CEO of the Consumer Action Law Center is worried “the complex regulatory framework in the SPF appears difficult for Treasury to bring to life” and “the high-level dispute resolution proposal in the consult papers is unworkable (as defined in the consultancy)”.  There are more comments in the report.


This SPF consultancy is a very important next step in the fight against consumer scams.  It contains an excellent list of controls that will help meet the goal of scam prevention.  But the consultancy also indirectly highlights the difficulties of consumers actually obtaining reimbursement for scam losses.

 

The Consultancy Content

The included business sectors for the SPF on day 1 are

1.     Financial institutions (including sending and receiving banks)

2.     Telecom providers

3.     Digital platforms (excluding dating sites and online marketplaces)


Controls

The strength of this document is around the 30+ listed controls for the involved businesses.  It is a good list of controls for banks and digital platforms.  The list of controls for telecom providers does not appear as strong.  Specifically, for telecoms,

  1. There is no specific control about preventing scam text messages.

  2. There should be a requirement to label international calls.


For digital platforms, Treasury has exempted dating apps and online marketplaces. So, there are no controls required for dating apps and online marketplaces.  From a consumer perspective, this creates a large hole in the SPF legislation.  


Here are 10 examples of some of the better controls to prevent scams for the in-scope businesses.

  1. Businesses must embed responsibility for scam prevention within their governance frameworks including strategic risk management and oversight.  

  2. Business must identify and verify new users of regulated services 

  3. Banks must have systems in place to monitor all transactions for suspicious activity that might be a scam and identify actionable scam intelligence

  4. Digital platforms must verify advertisers hold appropriate licences to advertise high-risk products, such as financial services and healthcare products.

  5. Telcos must have processes and systems in place to analyse traffic (calls and messages) for patterns or indicators of a scam. 

  6. Banks must have systems in place to identify consumers that have made a payment to a known scam account. This includes identifying customers at another bank where the bank identifies a home account that is suspected of receiving scam proceeds.

  7. Digital platforms must have systems in place to proactively detect accounts, content, messages and advertisements suspected of being associated with scams.

  8. Telcos must have processes and systems in place to analyse traffic (calls and messages) for patterns or indicators of a scam.  This could include:  calls or messages from numbers already under investigation, patterns of behaviours such as sending mass communications from a new number or IMEI, unusual increases in calls for a number, repeated short call durations, calls from invalid numbers or numbers on do not originate lists.

  9. Digital platforms must permanently remove or delist content (for example, social media posts or videos) and advertising linked to a scam and prevent future distribution.

  10. Digital platforms must take reasonable and proportionate measures to disrupt potential scam activity under investigation. This may include interim measures to: limit visibility of content and advertising being investigated for scam activity, publicly flagging content and messages being investigated for scam activity, suspending all display of advertising being investigated for scam activity.


The Appendices list all of the controls identified in the document.  There is a section for controls for all businesses, banks only, telecoms only and digital platforms only.  There are approximately 40 controls listed.   


The SPF continues to reinforce that its primary goal is to prevent consumer scams.  The list of controls is robust.  But, the large list of controls may cause the businesses to request the SPF start date be delayed.  It is not clear how much work will be required by the businesses to come into compliance.  It is also not known how much interaction took place between Treasury and the businesses in 2025 to understand the controls build out.


Some of these controls could take time to build out.  Here are a few examples of controls that could take time to build out:

  1. Businesses must require multi-factor authentication for log in attempts from new devices.

  2. Business must pro-actively detect scams on their services, including monitoring for suspicious transactions, communications, content, advertisements or account behaviour.

  3. Banks must have systems in place to verify the identity of their customers and to understand the nature of their transactions

  4. Digital platforms must have authentication processes to ensure accounts are legitimate, including comparing new account details against previously banned accounts, and requiring business users and advertisers to provide appropriate identification.

  5. Businesses must remove scams and scammers from their platforms. 


Reimbursement

Reimbursement remains the weakest part of the SPF.  Remember, the SPF says banks, telcos and digital platforms must have the defined controls and rules in place, and properly functioning, OR the business could be liable for reimbursing the customer for the related scam loss.  How does the customer know if the involved businesses have the controls and rules in place and are properly functioning?  Why, the business will inform the customer they are compliant (a signed written compliance document).  This is not exactly an independent assessment that the business is truly compliant. 


So, the customer starts off at a disadvantage in the reimbursement process.  They lost $100,000 in a romance scam.  It started with meeting a bogus person on a dating site or they received a “hi, how are you doing text message”.  Then they were moved to Telegram or WhatsApp to continue dozens of conversations or video chats using GenAI. X months later they have lost the $100,000 via bank transfers from a sending bank to a receiving bank(s).


Now the consumer has to start contacting these may businesses --the sending bank, multiple receiving banks, the telco or the dating site (now excluded).  The consumer is emotionally distressed at this point and now has to deal with all of these businesses to try and get his money back.  This will not/may not end well.


The process for reimbursement via the IDR or EDR does not appear to be in the customer’s favor.  Yet, this is what was promised-- “compliance or reimbursement”.  The consultancy does not level the playing field between the customer/victim and the businesses.  

The Appendix has a section listing the requirements to support the reimbursement process.


Views On the Consultancy from Consumer Advocates

Alex Brooks, VP at Scam Victim Alliance, shared her concerns: “The policy intent is fantastic and to be applauded; but the reality of delivering that policy intent risks creating a whole new Mount Everest for scam victims to deal with. Victims will face the challenge of dealing with more powerful corporations who will duck and weave their way into claiming compliance, while criminals will continue to innovate and find new loopholes to exploit Australia’s uniquely vulnerable superannuation and real estate riches. There needs to be some targeted enforcement or audits of the compliance for it to be workable”


Stephanie Tonkins, CEO of Consumer Action Law Centre, went even further with her concerns on how the SPF is shaping up: “The complex regulatory framework in the SPF appears difficult for Treasury to bring to life.


There are really good parts to the SPF's ecosystem approach, such as obligations on social media platforms to vet scam ads. Yet as more detail emerged recently on government's thinking (nearly a year on from the laws passing) the SPF appears less ambitious than the narrative. There are exclusions (marketplace, online dating apps won't be covered at least initially), businesses only need to take what they think are "reasonable steps" and according to their own resources, and the scams intel sharing (key to the whole SPF) only turns on from the end of 2027 - if on time.” 


The high-level dispute resolution proposal in the consult papers is unworkable. It entrenches the information asymmetry, doesn't accommodate multi-party internal dispute resolution and doesn't incentivise early settlement - so high volumes will proceed to AFCA. The burden of the system remains on scam victims' shoulders to prosecute.”


Clearly the consumer non-profits are concerned that scammers will continue to scam, while the government is taking time to roll out a less ambitious SPF, with a questionable reimbursement process.


Key Dates

Table 1 contains commentary on the key dates for SPF deployment.

Table 1- Key SPF Dates

SPF Goes Live

This is the proposed date by Treasury.  But given the number of controls defined by Treasury, the businesses may request and receive a new start date, possible in early 2027.

July 1 2026

SPF Fully implemented

December 2027

Business required to join AFCA

Each business must join AFCA.  Banks are already members of AFCA.

September 1 2026

AFCA consults on rule changes to implement EDR

AFCA will issue a consultancy on its new process as the SPF EDR

TBD

AFCA EDR Goes Live

AFCA will be staffing up for this new responsibility as the SPF EDR.

January 1 2027

New Treasury rules for Principles 4 and 5 available (including actionable scam intelligence sharing and scam investigation outcomes to regulators)

March 31 2027

Businesses begin reporting Actionable Scam Intelligence

Businesses may begin reporting actionable scam intelligence before this date between businesses, but this is the date to provide this information to the regulators.

December 2027

Observations on Consultancy Questions

The consultancy includes 26 questions to be answered by interested businesses and non-profit organizations.  Below are some of the interesting ones and with comments.


Question 12.   What criteria should be used to determine when disruption actions are deemed necessary (for example, freezing accounts, removing content)?

Comment-This is an important question.  For the controls to be effective, there will be some level of disruption activity (e.g. freeze a bank account, remove a suspicious financial ad, terminate a telco customer who sends scam messages).  The businesses need to use a commercially reasonable  process to determine when to use disruption.  The businesses also need legal safe harbor when they cause disruption because of perceived scam-related activity.


Question 13.   What safeguards should be in place to ensure disruption actions do not disproportionately impact legitimate users, particularly vulnerable cohorts and small business users?

Comment- This will be difficult to define.  As an example, a bank might have reason to believe they have identified a money mule account.  It could be based on subsequent assessment of the account opening data or based on anomalous transactions on a new account.  Or a digital platform is 90% certain the financial ad is a scam add.  How would one define the safeguards to be reviewed for these cases vs a fraud analyst making that determination?


Question 15.    How can SPF rules and codes encourage cooperation and timeliness in multi-party dispute?

Comment- This an important question.  The multiple businesses involved (maybe two banks and either a telco and possibly a digital platform like Meta).  There should be rules that force cooperation between these businesses or otherwise the consumer will be at an extreme disadvantage.  This will be especially true if the complaint moves to the EDR process.

 

Question 17.    If SPF codes allow consumers to opt out of certain frictions for certain transactions, how should that impact their right to redress?

Comments  If the SPF allowed the consumer to opt out of certain frictions, any potential reimbursement should be reduced accordingly.

 

Question 18.    Should any additional information or evidence be included in the statement of compliance?

Comments- the statement of compliance should address in a detailed non-complex way each of the controls and rules applicable for the specific business.  It should describe what the control/rule is and what the business has in place to meet compliance. To add emphasis to the compliance document, it should be signed by a senior executive of the business who reports to the CEO.  There should be penalties for signing a false compliance document.

 

Question 21.    Should any code obligations be made to help ensure the external dispute resolution scheme operates effectively?

Comment- There should be a code obligation that says that the EDR has the right to question the business compliance document.  The business should be required to allow the EDR, or a designated third party, to audit the business as to how the compliance document was created.

 

Question 23.     What other exceptions to the definition of a scam would be appropriate to consider? In your response, please provide supporting evidence.

Comment- There are so many consumer scams, the Treasury needs to be clear which scams are included.  Is it just authorized transaction done by the consumer based on deceitful misinformation?  And if so does this include, romance scams, pig butchering, investment scams (with careful definition to exclude bad investments in real investments such as investing in bitcoin and it drops in price or investing in penny stocks), real estate email compromise (where home buyer is given new instructions via email or the phone to send the closing payment to a scammer’s account, thinking it was the real estate account), impersonation scams (bank staff, government official, etc.), grandparent scam and more.

 

Question 26.     What additional compliance costs will businesses in designated sectors incur to meet the indicative code obligations proposed in this paper?

Comment- Businesses will occur additional cost to manage a scam strategy, build out the scam controls, validate compliance, manage the IDR and support EDR questions.  There will also be costs for the upcoming scam intelligence data sharing obligation.


Recommendations and Questions for Treasury

After a thorough review of the consultancy documents, here are some additional recommendations/questions.


  1. When the Scam Prevention Framework goes into effect (currently projected July 1 2026), the External Dispute Resolution (EDR) process should be accelerated to be in place at the same time, even if the responses will be slower than preferred for the first six months.

  2. Each business should provide a claimant with the important transaction information related to the scam.  This can include: was the customer notified and if yes, what was the outcome, was there a confirmation of payee with the receiving bank and if there was a mismatch, was the customer notified before the transaction processed, had anyone identified a financial ad was a scam and if yes, when was it taken down, was the related financial ad properly vetted before it was posted.

  3. A control for receiving bank should be money mule detection and removal, to include anomaly detection on inbound transactions.  This control will take time to deploy, so the start date should be one year from when the consultancy feedback is provided by Treasury.

  4. There should be more discussion around the receiving bank responsibility for reimbursement.  Here are two specific examples where more discussion is required:

    1. It should be agreed that the term ‘receiving bank” includes any receiving bank in the chain bank of money movement (e.g. if the money is sent from the sending bank to the first Australian receiving bank and then on to two or more additional Australian receiving banks, then all of the receiving banks involved in the money movement should be involved in reimbursement if their controls were not compliant.

    2. Since there is now the sending bank, receiving bank (not always), the telco or the digital platform, should there be considered a one third split if there are three business involved in the consumer scam (e.g. treat the receiving bank as equal to the sending bank, telco or digital platform)

  5. There should be more discussion around determining if a business is compliant, such as if the business is partially compliant, what happens; if the business is partially compliant, but the controls directly related to the specific scam were fully compliant, what happens.  Also, what is the standard for a business to determine it is compliant? And what role should the EDR play if the customer questions the business compliance statement?

  6. Since it is reported LLMs such as Open AI’s ChatGPT will soon carry advertisements, should LLMs be included as a digital platform ?  The answer should be yes.

  7. The consultancy talks about “The codes will outline the minimum steps that these businesses must take to meet SPF obligations. In some circumstances, businesses may have to do more than is required in the codes to meet the principle-based obligations and what is reasonable for the business in the circumstances.”  Given the “minimum steps” and “may have to do more”, how will that relate to the business determining they are ‘compliant with code’?  And how is compliance determined when the consultancy says: “larger businesses may be required to implement more robust measures.”

  8. The telcos should mark international calls as “international” for inbound calls to mobile devices.

  9. Digital platforms should include dating sites and online marketplaces.

  10. If a business produces an erroneous compliance document, stating the business is in compliance with the required controls, and in fact the business is not, then the business should be fined by an amount set by Treasury.

 

Summary

Australia is making real progress in the fight against consumer scams.  The government has many efforts underway (quickly removing bogus investment web sites, the Scam Prevention Framework, fining telcos for not following the telco regulation/voluntary codes).  Banks have added many scam controls on their own and every bank has a written scam prevention strategy.  Telcos have a new voluntary code to help reduce scams.


The SPF now has a proposed robust set of controls for banks, telecom providers and selected digital platform activity that must be deployed-- hopefully in 2026.  Surprisingly, dating apps and online marketplaces have been excluded by the Australian government. 

But consumer scam reimbursement is the somewhat lonely child.  Since the businesses are the ones that self-certify controls compliance, this is not an independent assessment. So, the customers start with maybe one hand tied behind their back in this reimbursement process.  It would be expensive to have an independent compliance assessment, but what else is fair to the consumer?


It is clear that with all of these controls, some businesses will miss critical aspects of the controls sometimes (e.g. confirmation of Payee is in production and works properly, but for this one scam, the bank forgot to tell the customer there was a mismatch—so the bank’s controls are technically running properly-- in place and working, but there was human error this one time).  There is more work required to make consumer scam reimbursement fair.


So, as of December 2025, it may be best to say the SPF has strong goals, and it is a mostly whole of ecosystem approach, with robust sector-specific controls—but the plan for consumer reimbursement is really not yet well-defined.  As this point, the SPF is far from the UK mandatory APP Scam reimbursement plan (which in itself may only be reimbursing 60-70 of consumer scams in ‘mandatory’ mode since October 7 2024).


But Australia is a step further! And further than many countries in the fight against consumer scams.  Remember, the SPF is first about scam prevention and only if the businesses are not compliant with the Treasury defined controls, does customer reimbursement come into play.


Appendices


Appendix 1. Proposed Controls for All Sectors 

  1. Businesses must embed responsibility for scam prevention within their governance frameworks including strategic risk management and oversight.   This must include data-driven continuous improvement, systems to collect and analyze relevant datasets, maintenance of comprehensive records of scam-related complaints and outcomes and the monitoring of the controls for effectiveness.

  2. Businesses must have systems in place to identify vulnerabilities that are being or could be exploited by scammers on their services.

  3. Businesses must require multi-factor authentication for log in attempts from new devices.

  4. Businesses must provide accessible information to consumers about scam risks on their services, including a scam awareness webpage.

  5. Businesses must provide scam prevention training to relevant staff, tailored to their roles. For scam response roles or customer-facing roles, businesses must have processes in place to ensure staff understand emerging scam trends.

  6. Business must pro-actively detect scams on their services, including monitoring for suspicious transactions, communications, content, advertisements or account behaviour.  

  7. Businesses must report and share actionable scam intelligence (with specific requirements being made available in 2026).

  8. Businesses must investigate actionable scam intelligence, including systems or processes in place to gather specific data to assist potential disruption activities.  

  9. Business must identify and verify new users of regulated services.

  10. Businesses must remove scams and scammers from their platforms.   

  11. Businesses should impose risk-based controls to prevent scams from occurring on their platform. This could involve imposing additional verification requirements for digital platforms around advertising services with a high scam risk (such as financial advice); or requiring banks to provide additional warnings before completing higher-risk transactions, such as new transfers to overseas accounts.  This should also include providing additional protections for consumers at higher risk of being scammed.    

  12. Businesses should provide customer education including customer service interactions and public awareness campaigns.  

  13. Businesses must take effective steps to protect their brand (brand impersonation) from being used in scams, including on other communication platforms, such as social media and online search services.

  14. Businesses must have systems in place to identify consumers impacted or potentially impacted by a scam.

  15. Businesses must alert customers as soon as practicable where there is a risk they are involved in an ongoing scam.

  16. Businesses must issue targeted scam alerts to consumers where there is a reasonable suspicion a specific scam threat may impact them.

  17. Businesses must restore disrupted services where investigations found that the relevant activity was not a scam.

  18. Businesses must notify consumers impacted by disruption activities, including how the disruption affects them.

  19. When businesses have actionable scam intelligence, the business must take reasonable steps investigate the scam, identify impacted customers and disrupt the scam  

  20. Businesses must share scam information.  Reporting this information to regulators is delayed until March 2027.

 

Appendix 2.  Proposed Reporting and Complaint Requirements for all Sectors

  1. Publish information on how to make complaints, including how to make an urgent report about a scam that may be in progress.

  2. Accept scam reports 24/7 and free of charge and provide an acknowledgement of a scam report as soon as practicable but within 24 hours of receiving the report

  3. Issue any proposed remedy within 30 calendar days of receiving an SPF complaint, explaining why reimbursement is occurring or not occurring. Include customer right to escalate to the EDR.

  4. Statements of (controls) compliance must be provided to a consumer in writing no later than 30 calendar days after the business receives a scam complaint and be signed off by a manager with responsibility and oversight of the matters contained in the complaint

  5. Statement of compliance must set out what specific steps the business took to comply with the SPF in relation to the consumer’s scam.

  6. As a default, each entity offering to compensate a consumer for a multi-party scam loss should pay an equal share of compensation. Where one entity is clearly more or less culpable for the loss and agreement is reached between businesses within IDR timeframes, other apportionment arrangements may be agreed. 

  

Appendix 3.  Proposed Controls for Bank

  1. Banks must provide targeted warnings about scam risks to customers before they make high-risk payments.

  2. Banks must use name-checking technology (Confirmation or Verification of Payee) to confirm a payee’s details match those provided by the payer.

  3. Banks must have systems in place to verify the identity of their customers and to understand the nature of their transactions.

  4. Banks must have systems in place to monitor all transactions for suspicious activity that might be a scam and identify actionable scam intelligence.

  5. Banks must have systems in place to identify consumers that have made a payment to a known scam account. This includes identifying customers at another bank where the bank identifies a home account that is suspected of receiving scam proceeds.

  6. Banks must close – and block payments to and from – accounts controlled by scammers (where the account owner is either the scammer or complicit in the scam) or freeze the account and return it to the account owner (where the account access was stolen from an innocent party).

  7. Banks must take reasonable and proportionate measures to disrupt potential scam activity. This may include interim or permanent disrupt actions, such as: issuing a payment recall request, suspending or freezing an account suspected of being used by a scammer while the bank investigates, enabling customers to instantly freeze accounts to block outgoing payments when they are concerned they have been compromised by scammers. 


Appendix 4.  Inferred Proposed Specific Controls for Receiving Banks

  1. Businesses must provide scam prevention training to relevant staff, tailored to their roles.

  2. Businesses must investigate actionable scam intelligence, including systems or processes in place to gather specific data to assist potential disruption activities.

  3. Business must identify and verify new users of regulated services.

  4. Businesses must remove scammers from their platforms.

  5. Businesses must notify consumers impacted by disruption activities, including how the disruption affects them.

  6. Businesses must have systems in place to identify vulnerabilities that are being or could be exploited by scammers on their services.

  7. Banks must have systems in place to monitor all transactions for suspicious activity that might be a scam (or scam related) and identify actionable scam intelligence.

    

Appendix 5.  Proposed Controls for Telecommunications Sector

  1. Carriage service providers must verify a customer has a legitimate use case before offering certain services.

  2. Telcos must have processes and systems in place to analyse traffic (calls and messages) for patterns or indicators of a scam.  This could include:  calls or messages from numbers already under investigation, patterns of behaviours such as sending mass communications from a new number or IMEI, unusual increases in calls for a number, repeated short call durations, calls from invalid numbers or numbers on do not originate lists.

  3. Telcos must have systems in place to identify consumers who received scam calls or short messages, with a focus on consumers who have engaged with the suspected scammer via returning a text message or speaking with them on the phone.

  4. Carriage service providers must block calls and messages from or to calling line identifiers (CLI) confirmed to be a scam following investigation of actionable scam intelligence.

  5. Carriage service providers must temporarily withdraw CLI from calls and messages from or to phone numbers which are subject of an investigation of actionable scam intelligence.


Appendix 6.  Proposed Controls for Digital Platforms 

  1. Digital platforms must verify advertisers hold appropriate licences to advertise high-risk products, such as financial services and healthcare products.

  2. Digital platforms must provide warnings to users in high-risk circumstances, such as receiving messages from unconnected accounts, or messages requesting financial details.

  3. Digital platforms must have authentication processes to ensure accounts are legitimate, including comparing new account details against previously banned accounts, and requiring business users and advertisers to provide appropriate identification.

  4. Digital platforms must have systems in place to proactively detect accounts, content, messages and advertisements suspected of being associated with scams.

  5. Digital platforms must identify, notify and warn:   owners of accounts exhibiting behaviour associated with account compromise, consumers who have communicated with accounts associated with scam activity or interacted with content or advertisements associated with scam activity.

  6. Digital platforms must permanently ban users and advertisers found to have been operating scams on their services and prevent them from creating new accounts.

  7. Digital platforms must permanently remove or delist content (for example, social media posts or videos) and advertising linked to a scam and prevent future distribution.

  8. Digital platforms must notify users they identify as having been potentially impacted by a scam (for example, users who have interacted with content since removed for scams) and warn users in real time if they are contacted by accounts under investigation for scam activity.

  9. Digital platforms must take reasonable and proportionate measures to disrupt potential scam activity under investigation. This may include interim measures to: limit visibility of content and advertising being investigated for scam activity, publicly flagging content and messages being investigated for scam activity, suspending all display of advertising being investigated for scam activity. 


About Ken Palla

Since 2005, Ken Palla has been in Online Security.  He was a Director at MUFG Union Bank, retiring in early 2019.  At MUFG Union Bank he managed the online security for both commercial and retail customers.  Ken was an advisor to the RSA eFraud Global Forum and a Program Committee member for the annual San Francisco RSA Conference.  In 2019, he received the Legends of Fraud Award.  He has published many white papers—on the need to focus on online customer safety, on online authentication and on how to select a multi-factor authentication solution. 


Most recently, he has been writing about consumer financial scams and how around the world financial institutions are adding scam controls and sometimes providing reimbursement.  He is currently consulting to banks and to online security vendors and is a member of The Knoble Scam Committee.




Comments

Post: Blog2_Post
bottom of page