The Privacy Series: The Scams Prevention Framework

To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses.

The Scams Prevention Framework

Consumer scams have consistently been making headlines over the past few years which given their prevalence is no surprise. The Australian Competition and Consumer Commission’s (ACCC) latest Report of the National Anti-Scam Centre on scams data and activity revealed that in 2024, there were 494,732 reported scams of which 207,605 equated to $2.03 billion in losses for Australians. While comparatively to 2023 and again to 2022 this is somewhat decreasing YOY, it is still an alarming figure for all stakeholders.

With the number of scams or attempted scams targeting Australians on a daily basis, in February 2025 the Australian Government took action and passed the Scams Prevention Framework Bill (2024). In this latest edition of the Privacy Series, we will explore the new Scam Prevention Framework and what impact it will have on marketers.

What is the Scams Prevention Framework?

With the economy-wide and societal impact that scams are having in Australia last month the government passed through the Scams Prevention Framework Bill (2024). The Scams Prevention Framework is an approach for protecting Australian consumers from scams. The Framework requires service providers in selected sectors to take a variety of actions or reasonable steps to combat scams involved with or relating to their services. Initially, the government has indicated it will designate telecommunications, banking, and digital platform services (including social media, paid search engine advertising, and direct messaging) as regulated sectors. For any business in Australia that has operations that fall under one of these sectors, their marketing practices will need to be compliant with the new framework.

The ACCC will be the regulator for the Scams Prevention Framework. However, where necessary another regulator may enforce the framework, like the Australian Securities and Investments Commission (ASIC) for banking, and the Australian Communications and Media Authority (ACMA) for telecommunications, for example. Businesses classified as regulated entities will need to ensure full compliance with the obligations set out in the Scams Prevention Framework.

What are the Scam Prevention Framework obligations?

The Scams Prevention Framework sets out a series of overarching obligations or principles that apply to the regulated entities. Then within these obligations is the opportunity to create more specific codes relating to a particular sector, for example telecommunications vs financial services.

The Scam Prevention Framework obligations include:

• Govern: documenting and implementing governance policies, procedures, metrics, and targets for combating scams. These should cover preventing, detecting, disrupting, and responding to scams related to the regulated services. A senior officer (such as a Director or the Company Secretary) must approve these measures annually.

• Prevent: reasonable steps must be taken to prevent scams related to the regulated service/s. This includes acting on actionable scam intelligence and implementing measures to protect consumers. The sector-specific codes may detail further what is considered as ‘reasonable steps’.

• Detect: take reasonable steps to detect scams, including investigating actionable scam intelligence and identifying impacted consumers. Businesses must investigate actionable scam intelligence within 28 days. The sector-specific codes may outline reasonable timeframes and steps for this obligation.

• Report: report actionable scam intelligence to the ACCC, following the prescribed timeframes, manner, and form outlined in the Scam Prevention Framework rules. Businesses must also provide scam reports to the relevant designated regulator upon request.

• Disrupt: reasonable steps must be taken to disrupt scams relating to the regulated services, including preventing losses. You are protected from liability for damages if your actions are taken in good faith, comply with the provisions, and are proportionate to the activity and available information.

• Respond: internal dispute resolution mechanisms for consumer complaints related to scams must be in place. Businesses must also be a member of an authorised external dispute resolution scheme for your sector.

Why this matters for marketers?

As noted above, once a business is classified as a regulated entity, it will need to ensure full compliance with the obligations set out in the Scams Prevention Framework. Given the government has indicated it will designate telecommunications, banking, and digital platforms (including social media, paid search engine advertising, and direct messaging) as regulated sectors, the marketing operations of these impacted businesses will also need to be compliant.

As marketers are on the front line when it comes to consumer data and are a direct pathway from a business to its customers, implementing the Scams Prevention Framework is paramount for compliance. To best avoid potential scam activity for customers, marketing teams within these regulated services will need to execute business policies and procedures that adhere to the obligations and that ultimately build customer trust in your brand. This includes actively taking reasonable steps to prevent scams relating to these regulated services such as stringent data privacy and data security when collecting data, to protect customers. The more that is done by marketing teams from the outset, the better the position of the organisation to avoid scams and demonstrate compliance with the Scams Prevention Framework obligations. Not only that, it will position a brand’s commitment to customer privacy, which in a world of frequent scam activity is of high intrinsic value.

It would be remiss not to mention that non-compliance can result in various enforcement actions. These include civil penalties, infringement notices, enforceable undertakings, injunctions, and adverse publicity orders. Not to mention the reputational damage and broken customer trust that will ensue. It is also worth noting that, even if your organisation does not fall within one of the designated sectors identified, the Government has made clear that it is likely that the Scams Prevention Framework will be expanded to other sectors in future.

It’s no easy feat to be a compliant and responsible marketer. The regulatory landscape is evolving and broadening with great impact on the roles and responsibilities of the everyday marketer. That’s why it is so important to stay across these changes that directly impact day-to-day marketing activity. Marketers can no longer solely rely on legal and compliance teams as the answer to uphold the law in their businesses. Instead, with the direct hands-on link that marketers have to consumer data, being able to identify compliant and non-compliant practices is critical.

Want to know more?

Check out our regulatory course offering with a range of options to suit your needs. From our online short courses to our more comprehensive Privacy and Compliance for Marketers course, ADMA IQ has your regulatory upskilling needs sorted.