TritonArk Logo
    Back to Blog
    February 24, 2026Abshir Warsame | CCISO | CISM | CISA

    Preparing Your Board for the Scams Prevention Framework: A Director's Guide

    A director of a regulated Australian financial institution who cannot answer basic questions about their organisation's anti-scam strategy is not in a defensible position. That's not an opinion — it's the direction of travel in Australian regulatory and corporate governance law, and the Scams Prevention Framework (SPF) has made it explicit.

    The SPF passed into law as an amendment to the Competition and Consumer Act 2010. It carries penalties of up to AUD $50 million for non-compliance and is jointly administered by the ACCC and ACMA. It applies directly to telcos, banks, and digital platforms — and it establishes a new standard of accountability that reaches all the way to board level. If your board hasn't been briefed on SPF obligations yet, the framework has already been in effect longer than that gap in oversight can comfortably be explained.

    Why the SPF Is a Board Issue, Not an IT Issue

    The most common governance error organisations make with new regulatory frameworks is treating them as technical compliance matters to be handled by the IT team, the legal counsel, and perhaps a risk manager. The SPF is not that kind of framework.

    The SPF requires regulated entities to maintain a documented anti-scam strategy — not a policy document sitting in a shared drive, but a board-approved strategic commitment that shapes how the organisation detects, prevents, disrupts, responds to, and reports on scam activity. A documented strategy that the board hasn't seen, hasn't endorsed, and can't explain is not a defensible strategy.

    Directors already have obligations under the Corporations Act to exercise care and diligence in overseeing material risks to the business. Cyber security and scam exposure are material risks. APRA's CPS 234 requires board-level oversight of information security for regulated entities. The Australian Cyber Security Centre's ISM requires the CISO — or equivalent — to report directly to the board. The SPF builds on these existing obligations and adds a sector-specific enforcement mechanism with teeth.

    The CISC's overview of cyber security obligations for corporate leaders sets out clearly what's expected of directors in this environment. The SPF doesn't change the underlying principle — it sharpens the consequences.

    What Directors Need to Understand About SPF Obligations

    Directors don't need to understand the technical mechanics of scam detection. They do need to understand the following:

    • The framework is mandatory, not aspirational. The SPF is law. For banks, core obligations must be met by 30 June 2026. The framework applies to your organisation whether or not management has briefed the board on it.
    • The six obligation pillars are interconnected. The SPF requires an anti-scam strategy, plus active obligations across prevention, detection, disruption, response, and reporting. A gap in any pillar creates regulatory exposure. Boards should be asking whether each pillar has been assessed and whether documented evidence of compliance exists.
    • Penalties are entity-level and significant. Up to AUD $50 million in penalties creates the kind of financial exposure that directly implicates directors' duties under the Corporations Act. The question of whether the board took reasonable steps to oversee SPF compliance will be central to any enforcement inquiry.
    • "Documented" is a key word throughout the framework. Regulators will not accept verbal assurances. The SPF expects documented strategies, documented detection protocols, documented response procedures, and documented reporting to regulators. If a board cannot point to the documentation, it doesn't exist in regulatory terms.

    The Governance Requirements: What Good Looks Like

    A board that is genuinely discharging its SPF-related governance obligations will be able to demonstrate the following:

    • Board-approved anti-scam strategy. Not a management paper — a board resolution approving a documented strategy that is reviewed at defined intervals. The strategy should describe the organisation's scam risk profile, its programme of controls, and its escalation and reporting obligations.
    • Regular risk metrics and reporting. Boards should be receiving structured reporting on scam risk indicators: volumes of detected scam attempts, response times, customer impact data, and changes in the threat landscape. If the only time the board hears about scams is when something goes wrong, the governance structure is inadequate.
    • Defined escalation and response protocols. Who in the organisation has authority to escalate a scam incident? What's the timeline for reporting to regulators? What's the customer communication protocol? These questions should have documented answers the board has seen and endorsed.
    • Third-party and supply chain visibility. Many organisations' SMS and digital communications are managed through intermediaries. Boards should understand what due diligence exists on the scam-prevention posture of key suppliers.

    Five Questions Every Director Should Be Asking

    If you're a director of a telco, bank, or digital platform, these are the questions you should be putting to management — and expecting structured, documented answers to:

    1. Has the board formally approved a documented anti-scam strategy? If not, when will one be presented for approval?
    2. What is our current compliance status against each of the six SPF obligation pillars? Where are the gaps, and what is the remediation plan?
    3. What scam risk metrics are we tracking, and how often does the board receive a structured report?
    4. What is our regulatory reporting obligation under the SPF, and do we have a tested process for meeting it?
    5. What is the status of our Sender ID registration? For organisations that send branded SMS, this is a directly linked obligation with a 15 May 2026 registration deadline and a 1 July 2026 mandatory compliance date.

    These aren't trick questions. They're the basic governance hygiene that the SPF — and pre existing obligations under the Corporations Act, APRA CPS 234, and the ACSC's ISM — would expect any diligent director to be asking. If management can't answer them with structured evidence, that itself is a finding worth acting on.

    The Australian Cyber Security Centre's guidelines for cyber security roles provide useful context for boards on what adequate reporting structures look like.

    The Role of a vCISO in Board-Ready Reporting

    Many mid-market organisations don't have a full-time CISO — and even some larger organisations don't have the internal capability to translate scam risk and cyber security complexity into board-ready language. This is the gap a virtual CISO (vCISO) fills.

    A vCISO embedded into your governance structure provides the board with an accountable, expert voice on cyber and scam risk that sits outside the day-to-day IT function. They can prepare board papers on SPF compliance status, translate technical risk metrics into governance language, and ensure that the documented evidence the SPF requires is structured and maintained.

    For organisations preparing for the 30 June 2026 compliance date, a vCISO engagement that begins now — not in May — is the difference between a controlled compliance programme and a last-minute scramble. TritonArk's vCISO advisory service is specifically structured to provide this board-level reporting function, with deep experience in Australian regulatory frameworks.

    What "Reasonable Steps" Means — and Why It Matters for Directors

    The SPF, like many Australian regulatory frameworks, relies on a "reasonable steps" standard. Regulators and courts assessing compliance will ask: did this organisation take the steps that a reasonable entity in its position would have taken, given what was known about the framework and the timeline?

    "Reasonable steps" is not a vague standard. It is assessed against documented evidence of action. A board that received a briefing on SPF obligations, approved a documented strategy, received regular risk reporting, and ensured management had resourced the compliance programme adequately — that board will be in a very different position to one that treated the framework as a management matter and received no structured reporting.

    The SPF is an opportunity to build a governance posture around scam prevention that is robust, documented, and demonstrably board-endorsed. Organisations that build that posture now will not need to explain gaps when enforcement activity begins.

    Our GRC advisory team works with boards and executive teams to build the governance structures the SPF requires — from strategy documentation and risk metric frameworks through to board reporting templates and compliance readiness assessments. Our SPF readiness programme provides a structured pathway to compliance across all six obligation pillars. If your board hasn't yet received a formal SPF briefing, that conversation is worth having now — well before the June 2026 compliance deadline narrows your options.

    Ready to Secure Your Sender IDs Before the July 2026 Deadline?

    Request a confidential assessment. We'll map your messaging inventory, identify your gaps, and give you a clear action plan — no jargon, no lock-in.

    CISA, CISM & CCISO Credentialed
    TritonArk
    Hi there! Have a question? we’ll guide you through your readiness and compliance and next steps.