One Year On: What the SPF Has Changed - and What It Hasn’t

It has been 12 months since the Scam Prevention Framework reset how responsibility for scam harm is allocated across the ecosystem.

The most significant shift is the expectation that when credible indicators of scam activity exist within an institution’s environment, action must follow and that action must be defensible.

One year on, the question is no longer whether responsibility has shifted on paper. The real question is how that responsibility will be interpreted, enforced, and evidenced in practice across the scam prevention ecosystem.

‍

Responsibility Has Moved Upstream

Previously, much of the responsibility for surfacing scam harm sat with the consumer through post-incident reporting. This contributed to widespread underreporting and delayed visibility across the ecosystem.

At its core, the SPF reframes scam prevention as a shared institutional obligation rather than a downstream loss event. The emphasis shifts from reimbursement after harm to intervention before funds move.

For designated sectors, the test is no longer simply whether scams occurred within their customer base. The question is what the institution knew, and how it acted once actionable intelligence existed.

The inclusion of both sending and receiving banks has also changed the structure of the payment chain. Accountability no longer sits solely at the point of origination. It now extends to where funds are received and held.

This has changed how institutions approach fraud and compliance internally. Detection alone is no longer sufficient. Once credible indicators emerge, the expectation is timely escalation, proportionate intervention, and defensible decision-making.

‍

What the Data Shows – Before Commencement

According to the National Anti-Scam Centre’s Targeting Scams Report 2024, Australians reported $2.03 billion in scam losses in 2024 across 494,732 reports. Losses have declined from the 2022 peak of $3.1 billion, but the overall scale of harm remains significant.

These figures establish the baseline environment entering the SPF’s first year of operation.

They also highlight how scam losses concentrate within specific financial channels. In 2024, bank transfers accounted for 44.5 percent of reported Scamwatch losses, reflecting the continued reliance of scam operations on bank-based money movement.

Cryptocurrency represented a further $71.2 million in reported losses. Scam contact methods spanned phone calls, email, messaging services, and online platforms.

This is the operating environment into which the SPF will commence.

Losses declined prior to SPF obligations commencing in July 2026, falling from the 2022 peak of $3.1 billion to $2.03 billion reported in 2024.

These figures establish the baseline environment into which the framework will be enforced.

The SPF does not enter a static system. It enters an ecosystem characterised by layered infrastructure, compressed movement of funds, and the reuse of mule accounts across campaigns.

‍

Scope, Coverage, and Uneven Responsibility

In principle, the SPF was designed as a whole-of-economy response. In practice, its obligations do not apply uniformly across all digital intermediaries involved in the scam attack chain.

Certain actors currently remain outside the immediate regulatory perimeter, including elements of online marketplaces, dating platforms, some payment service providers, cryptocurrency exchanges, and specific communications channels such as VoIP and email services.

Scam campaigns, however, do not respect regulatory boundaries. They often begin on a platform, move through telecommunications infrastructure, and conclude within the banking system.

Where initiation occurs outside the perimeter but funds ultimately transit regulated institutions, liability pressure concentrates on those within scope.

Exemptions may reflect jurisdictional complexity or staged implementation. But differentiated coverage introduces coordination risk. Responsibility at the point of payment is clearer than responsibility at the point of initiation.

For institutions in scope, that distinction does not dilute obligation. Once credible intelligence exists within their environment, action must follow.

The Mule Recruitment and Money Movement Chain

As mentioned above, the SPF is framed as a broad ecosystem response. In principle, coordinated obligations across banks, telecommunications providers, and designated digital platforms represent a meaningful shift from fragmented intervention.

One way to understand how these obligations interact is to examine a typical mule recruitment and money movement scenario, where mule accounts and the recruitment flows behind them sit at the centre of many campaigns.

A common pattern looks like this:  

‍

A mule is recruited through a dating platform or hybrid online environment. Communication moves into direct messaging or email. Credentials are exchanged. An account is opened or accessed through an authorised deposit-taking institution. The scammer then controls that account remotely, moves funds through additional channels, and ultimately withdraws or converts value.

This sequence illustrates why obligations within the SPF attach most clearly at the point where funds move, even though much of the scam infrastructure sits upstream.

At each stage, different layers of infrastructure are involved.

Some of those layers fall within the SPF’s initial designation. Others do not.

The account-holding bank is clearly within scope. Telecommunications providers are within scope. Certain digital platform services are designated.

But recruitment platforms, such as Facebook Marketplace, communication infrastructure such as encrypted messaging platforms, offshore VoIP services, and cloud communication tools may fall outside the SPF designation perimeter., and elements of the infrastructure used to coordinate mule activity may sit outside the initial designation perimeter.

As a result, obligations are strongest where funds are held and moved. They are less direct at the earlier stages where mule networks are formed, access is transferred, and infrastructure is reused.

By the time funds reach a designated institution, much of the upstream activity has already occurred.

For institutions within scope, the operational question is therefore practical rather than theoretical. Once credible indicators surface within their environment, how quickly can they act, and how clearly can they demonstrate that their response was proportionate and timely?

That is where accountability concentrates under the initial SPF designation.

This does not undermine the SPF’s ambition. It reflects the difficulty of applying a whole-of-economy model to criminal infrastructure that spans multiple sectors and jurisdictions.

When Expectation Becomes Enforcement

The SPF carries significant penalties. Non-compliant entities face fines of up to A$50 million or as much as 30 percent of revenue, alongside potential reimbursement obligations.

With a concrete penalty regime, what remains unsettled 12 months on, is how those powers will be exercised.

Treasury’s consultancy sets out detailed examples of controls across governance, prevention, detection, reporting, disruption, and response. In other areas, the framework relies on principles rather than prescriptive rules. “Reasonable steps” are framed as proactive and proportionate actions reflecting an institution’s size, role, and exposure.

Sector codes will play a central role in narrowing that interpretation. Implementation is also staged, with internal and external dispute resolution mechanisms rolling out progressively.

‍

Industry Response: Alignment and Friction

The SPF carries significant penalties. Non-compliant entities face fines of up to A$50 million or as much as 30 percent of adjusted turnover, alongside potential reimbursement obligations.

Twelve months after passage, the legislation defines the consequences. What has not yet been tested is how regulators will apply those powers in practice.

Scrutiny of institutional conduct is also expanding through external dispute resolution. From March 2026, AFCA can hear scam complaints against receiving banks, including from non-customers, increasing focus on how institutions respond once scam funds enter their systems.

Where tension emerges is in application.

One recurring concern is uneven coverage. Scam campaigns may originate on one type of platform, move through another channel, and ultimately monetise within regulated financial infrastructure. When reimbursement exposure attaches most clearly at the point of payment, questions of proportionality and causal contribution inevitably arise.

Interpretation of the “reasonable steps” standard has also prompted discussion. The SPF frames those obligations relative to an entity’s size, capability, and exposure. That flexibility allows proportional application, but it also leaves room for interpretation until sector codes and enforcement precedent begin to narrow the standard.

Intelligence sharing has emerged as another focal point. If accountability attaches to knowledge, then structured cross-sector information exchange becomes operationally significant.

These dynamics reflect the difficulty of aligning preventative controls with financial outcomes across multiple sectors. They do not undermine the framework’s ambition. They highlight the complexity of applying coordinated obligations to a distributed criminal ecosystem.

‍

Year Two: Where the Framework Meets Reality

The SPF’s first year has been architectural.

Responsibilities have been extended. Perimeters have been defined. Penalty ceilings have been set. Sector codes have been drafted. Institutions have reviewed governance, escalation pathways, and reporting processes.

But architecture is not precedent.

The framework enters formal commencement in an environment characterised by layered criminal infrastructure, compressed funds movement, and cross-sector dependency. The question is no longer whether coordination is necessary. It is whether coordination will be operationalised at speed.

Year two will move the discussion from preparation to proof.

Dispute resolution mechanisms will mature. Sector codes will narrow interpretive flexibility. The standard of “reasonable steps” will begin to be tested in concrete scenarios, particularly where intelligence existed but intervention was delayed or incomplete.

What changes is the standard applied to institutions once activity surfaces within their environment.

When funds move through a designated entity, the question will not simply be whether a scam occurred. It will be whether the institution recognised credible indicators and responded in a way that was timely, proportionate, and documented.

Year two is where that standard will begin to harden.

As sector codes are finalised and dispute resolution mechanisms mature, the assessment of “reasonable steps” will shift from internal interpretation to external scrutiny.

The SPF does not remove the complexity of the scam lifecycle. It raises the threshold for how institutions must respond to it.

That is the practical test ahead.

‍

References

Scams Prevention Framework Act 2025
https://www.legislation.gov.au/C2025A00015/asmade/2025-02-20/text/original/pdf

Treasury – Scams Prevention Framework Consultation Hub
https://treasury.gov.au/consultation/c2024-573813

Treasury Position Paper – Advancing Australia’s Scams Prevention Framework through Codes and Rules (Nov 2025)
https://storage.googleapis.com/files-au-treasury/treasury/p/prj38c41037eb554b881caef/page/c2025_715201_pp.pdf

Treasury Explanatory Statement – EDR Authorisation Instrument
https://storage.googleapis.com/files-au-treasury/treasury/p/prj38c41037eb554b881caef/page/c2025_715201_es_edr.pdf

Treasury SPF Guide (Jan 2025)
https://treasury.gov.au/sites/default/files/2025-01/p2025-623966.pdf

National Anti-Scam Centre – Targeting Scams Report 2024
https://www.nasc.gov.au/system/files/targeting-scams-report-2024.pdf

ACCC – Targeting Scams Report 2023
https://www.accc.gov.au/system/files/targeting-scams-report-activity-2023.pdf

National Anti-Scam Centre – Targeting Scams Report 2022
https://www.nasc.gov.au/system/files/Targeting%20scams%202022.pdf

Scamwatch Data Portal
https://www.scamwatch.gov.au

ACMA – Action on Scams, Spam and Telemarketing (July–September 2025)
https://www.acma.gov.au/publications/2025-12/report/action-scams-spam-and-telemarketing-july-september-2025

ACMA – Exetel Penalised $694k for Anti-Scam Breaches
https://www.acma.gov.au/articles/2025-08/exetel-penalised-694k-anti-scam-breaches

AFCA – Australian Financial Complaints Authority
https://www.afca.org.au

Ashurst – Operationalising the SPF
https://www.ashurst.com/en/insights/operationalising-the-spf/

‍