TritonArk Logo
    Back to Blog
    March 10, 2026Abshir Warsame | CCISO | CISM | CISA

    Australia's Scams Prevention Framework: what telcos and digital platforms must do now

    In a single year under Australia's existing scam-reduction code, telcos blocked approximately 1.4 billion scam calls and 336 million scam SMS messages. Despite that scale of intervention, scam losses continued to cost Australians hundreds of millions of dollars annually. The existing framework, built on voluntary commitments and sector-specific codes, wasn't enough.

    Australia responded with something more significant: the Scams Prevention Framework (SPF), which passed into law on 13 February 2025 as new Part IVF of the Competition and Consumer Act 2010 (Cth). It is, by international standards, landmark legislation — the first framework of its kind to impose consistent, enforceable, cross-sector obligations on the organisations best positioned to stop scams before they reach consumers. The penalties for non-compliance reach AUD $50 million per offence.

    If your organisation operates in telecommunications, banking, or digital platforms — or if you provide services to organisations that do — the obligations under the SPF are not a future consideration. Several are already in effect, and the clock is running on the rest.

    What makes the SPF different from what came before?

    Previous approaches to scam prevention in Australia were fragmented. Telcos operated under their own industry codes. Banks followed guidance from ASIC and AUSTRAC. Digital platforms largely self-regulated. Obligations varied in specificity, enforcement was inconsistent, and there was no coherent mechanism for cross-sector intelligence sharing.

    The SPF replaces this patchwork with a unified legislative framework — one that establishes common principles applicable across all designated sectors, requires sector-specific codes that translate those principles into concrete obligations, and empowers three separate regulators to take enforcement action.

    Critically, the SPF adopts a "reasonable steps" standard rather than prescribing exact measures. This means obligations scale with the size, capabilities, and risk profile of the regulated entity. A small regional telco and a major digital platform face the same principles, but proportionate implementation requirements. What's considered "reasonable" will be defined progressively through the sector-specific SPF Codes, which are still being developed.

    As Jones Day's analysis of the legislation notes, the SPF applies not only to entities based within Australia but also to overseas-based corporations providing services into the Australian market. Geographic location is not a defence.

    Which sectors are affected?

    The SPF currently designates three sectors:

    • Telecommunications — Carriers, carriage service providers, and electronic messaging service providers. Regulated by ACMA.
    • Banking — Banks and authorised deposit-taking institutions. Regulated by ASIC.
    • Digital platforms — Social media platforms, search engines, and other digital services designated by the Treasury Minister via legislative instrument. Regulated by ACCC.

    Additional sectors may be designated in future. The three initial sectors were chosen because they represent the primary vectors through which scams reach and harm Australians — the channels through which contact is made, trust is exploited, and money moves.

    For businesses operating adjacent to these sectors — third-party service providers, technology vendors, SaaS platforms embedded in telco or banking stacks — the SPF creates indirect obligations. Where your product or service is part of a regulated entity's scam prevention capability, that entity's compliance expectations flow through to your contractual and operational relationship with them.

    The six SPF obligations: what regulated entities must demonstrate

    The SPF Principles establish six core obligation areas. Each will be further elaborated in sector specific SPF Codes, but the framework obligations are already in force.

    1. Prevent

    Regulated entities must take reasonable steps to prevent scams from reaching or affecting consumers. This is not a passive obligation. It requires active measures — technical controls, process design, and product decisions — that reduce the likelihood of scam contact through the entity's services.

    2. Detect

    Entities must have systems and processes capable of identifying scam activity and suspicious patterns within their platforms or networks. For telcos, this extends existing obligations under scam codes. For digital platforms, it requires investment in detection capabilities that may not have previously been required by law.

    3. Disrupt

    When a scam is identified, entities must take reasonable steps to disrupt it — block the communication, suspend the account, or otherwise interrupt the scam before further consumer harm results. A 28-day safe-harbour provision applies for entities that act in good faith with reasonably proportionate disruption measures, providing some protection against retrospective enforcement for prompt responders.

    4. Report

    Credible scam intelligence must be reported to the coordinating regulator. This creates a mandatory intelligence-sharing obligation that didn't previously exist for all three sectors. The practical implication is that regulated entities need documented processes for identifying what constitutes "credible scam intelligence" and defined workflows for reporting it on the required timeframes.

    5. Respond

    Regulated entities must provide an accessible mechanism for consumers and small businesses to report scams or suspicious activity. This isn't simply a customer service function — it's a regulatory requirement with documentation expectations attached. Entities also have obligations under the dispute resolution provisions of the SPF that may expose them to external dispute resolution processes and, potentially, class actions if obligations aren't met.

    6. Governance

    Perhaps the most operationally demanding obligation: entities must document and implement corporate governance policies and procedures covering all of the above areas — prevention, detection, disruption, response, and reporting. They must also develop and implement performance metrics to measure the effectiveness of those governance measures.

    This is where the SPF transitions from being a reactive security obligation to a proactive governance requirement. The expectation isn't just that you respond to scams — it's that you have a documented, measurable programme for doing so.

    Timelines: what's already required and what's coming

    • 13 February 2025 — The SPF passed into law.
    • 30 June 2026 — Banks must comply with core SPF obligations under the banking sector SPF Code. This is the most immediately pressing deadline for the financial sector.
    • Telecommunications — ACMA is developing the telco SPF Code. Given ACMA's existing scam code infrastructure, the telco obligations are expected to build on established frameworks, but the SPF raises the legal weight of those obligations and the consequences of non-compliance significantly.
    • Digital platforms — The ACCC is leading the digital platforms SPF Code development. For large platforms, engagement with this process is already underway.

    The SPF Codes are likely to be finalised progressively through 2026. Organisations that are treating the absence of a finalised Code as a reason to delay preparation are taking a material risk: the SPF Principles are already law, and "we were waiting for the Code" is not a defence against obligations that are already active.

    What this means for businesses connected to designated sectors

    Even if your business is not itself a regulated entity under the SPF, the framework has practical implications if you operate within the supply chain of a telco, bank, or digital platform:

    • Technology and SaaS vendors whose products touch anti-scam, authentication, communications, or fraud detection capabilities will face increased scrutiny from their customers — and potentially explicit contractual requirements — as regulated entities seek to demonstrate their SPF compliance.
    • Professional services firms advising regulated entities will be expected to understand the SPF obligations as a baseline.
    • Businesses whose SMS communications rely on telco infrastructure — including those affected by the Sender ID Register — are part of the ecosystem the SPF is designed to protect and regulate.

    The SPF doesn't exist in isolation. It operates alongside the SMS Sender ID Register, the Consumer Data Right, and a broader trajectory of Australian regulatory development that consistently moves toward stronger obligations, clearer accountability, and higher penalties.

    Why the SPF requires security leadership, not just compliance management

    This is where the distinction between a compliance exercise and a genuine security programme becomes consequential.

    The governance obligation under the SPF — documented policies, performance metrics, measurable targets — is not something that can be adequately addressed by a compliance checklist. It requires organisations to understand their actual scam risk profile, design proportionate controls, embed those controls into operational processes, and demonstrate their effectiveness over time.

    That work requires security leadership. The questions the SPF asks — what are your scam vectors, what controls exist at each point, how do you know they're working, what happens when they fail — are the same questions a competent vCISO asks of any security programme.

    For regulated entities that don't have that security leadership internally, the SPF creates a significant gap. Appointing a compliance officer to manage a checklist will not produce the documented, metrics-driven governance framework the legislation requires. And when the regulators — the ACCC, ASIC, and ACMA — begin assessing compliance, the depth of that governance programme will be a primary focus.

    Many Australian organisations in the banking and telecommunications sectors are already investing in exactly this kind of structured, leadership-driven compliance work. The organisations that are building genuine programmes now are the ones that will face enforcement with confidence rather than exposure.

    TritonArk's SPF Readiness advisory supports regulated entities and their supply chains in building the governance foundations the SPF requires — from scam risk assessment through to documented policy and metrics frameworks. For organisations that need ongoing security leadership to carry this work forward, our vCISO Advisory service provides that capability without the cost and timeline of a full-time executive hire.

    The Jones Day analysis of the SPF remains one of the clearest summaries of what the legislation requires and how it will be enforced. If your organisation's SPF response plan doesn't yet match the scope of what that legislation demands, that's worth addressing before the enforcement calendar catches up with the preparation timeline.

    Ready to Secure Your Sender IDs Before the July 2026 Deadline?

    Request a confidential assessment. We'll map your messaging inventory, identify your gaps, and give you a clear action plan — no jargon, no lock-in.

    CISA, CISM & CCISO Credentialed
    TritonArk
    Hi there! Have a question? we’ll guide you through your readiness and compliance and next steps.