Skip to main content

Moving Australia Forward on Scams

Treasury Consultation on Mandatory Industry Codes

In November 2023 Treasury issued its much anticipated “Consultation Paper on Scams – Mandatory Industry Codes” (the “Draft Code”, subject to consultation).

The Draft Code lands at a pivotal moment, where annual losses to scams have dramatically risen to over $3 billion per annum [1], drawing the fear and attention of Australian citizens, government and the business sectors who all find themselves impacted.  And these figures reflect only reported losses, ignoring the downstream economic, social and human impacts of scams, making the real impact much more significant. 

As the first major governmental initiative in this space since the announcement of the National Anti-Scams Centre, the Draft Code represents a solid foundation for greater coordination, collaboration and efficacy across the multitude of public and private parties driving initiatives to reduce harm from scams for Australians. Importantly, it will also give legislative force to key scam mitigation principles and set in train the development of sector-specific codes across the scams ecosystem.

What’s In The Draft Code?

The Draft Code outlines the scope of businesses that will be subject to its requirements, the standards it seeks to impose on its subjects, and the interplay with existing regulatory regime. We set out below a summary of these elements:

  • Three initial sectors captured – The Draft Code recognises that fighting scams will require actions across multiple sectors.  Banks, telecommunications providers (“telcos”) and digital communications platforms (“social media”) will be the three initial sectors subject to a forthcoming scam code recognised as those most targeted by scammers.
  • General and sector-specific codes – The Draft Code outlines a number of sensible and easy to understand principles-based obligations.  These can be summarised as:

1. Prevention – Subject businesses will be required to assess the nature of their own specific vulnerability to scams and to define a fit-for-purpose strategy for identifying and preventing scams in their environment, including educating customers and training staff.

2. Detection and disruption – Subject businesses will become part of a public / private community which will share scam-related intelligence across its participants.  Businesses will be expected to act quickly and efficiently on the intelligence they gather and receive and to provide tools for customers to verify information in real-time.

3. Respond – Subject businesses will be required to establish user-friendly and timely avenues for customers to report scams, act promptly to prevent further loss and for customers to be informed of escalation pathways if the customer is unsatisfied with their outcome.

4. Report to regulators and other businesses – Subject businesses must promptly notify others when they confirm or suspect large-scale activity, must share intelligence with relevant regulators and NASC, and must keep records of scam activity and the business’ response.

  • Leveraging of existing regulatory regimes – The Draft Code recognises that scams touch numerous areas of existing regulatory guidance, many of which are already under review. Scammers are quick to exploit weaknesses exposed through cyber, identity, financial crime, privacy or truth in advertising frameworks.  Rather than risk encumbrance or confusion of these existing regimes, the Draft Code seeks to impose itself in the open gaps, however, the Draft Code does not yet set out a methodology for alignment with existing regulations, in particular permissible cross-regulation on intelligence sharing.  The Draft Code leaves open the possibility of lifting voluntary aspects of these regimes into legislation.
  • Definition of “scam” – The Draft Code defines a scam as “a dishonest invitation, request, notification or offer, designed to obtain personal information or financial benefit by deceptive means”.  This definition deliberately distinguishes a scam as having an element of customer authorisation/participation (albeit under deceptive means) as distinct from fraud which occurs in a manner that is unauthorised/participated-in by the customer.  This is a helpful starting point, though we note that experience from markets facing similar challenges (such as the UK and Singapore) highlights the difficulty that ecosystem participations have in differentiating scams from fraud with their customers, and the challenges that presents for the myriad downstream processes related to each.

Preparing To Implement The Draft Code – Complexities To Navigate

There are a number of complex topics to navigate that are inherent already in how businesses are grappling with scams.  The Draft Code provides additional guidance related to these topics, and will require businesses to focus on the key implementation aspects including:

Guidance in The Draft Code

The Draft Code makes clear the expectation that businesses must take “reasonable steps” to protect customers, including acting in a “timely manner” on scam intelligence.  

Implementing The Draft Code

Each business must define how they have implemented the concepts, “reasonable steps” and “timely”, as they relate to the business’ implementation of the Draft Code.

These definitions will be important.  Where a business’ failure to take reasonable steps or timely action on intelligence contributes to a customer loss to a scam, that failure will naturally have bearing on the businesses’ fair and consistent conclusions with respect to reimbursement.  What is understood to be “reasonable” will no doubt evolve through lived experience and the precedents created through dispute resolution channels.

Guidance in The Draft Code

The Draft Code sets out requirements for expeditious bi-lateral and even multi-lateral sharing of scam information with other businesses, scam intelligence bureaus and regulators, and for taking expeditious action on that intelligence.

Implementing The Draft Code

Implementing the Draft Code will require planning to prepare the business for the significant increases in in-bound and out-bound intelligence sharing and processing.

In the pursuit of timely intelligence processing, business will also need to plan ahead for future automation of information flows and action taking.  This will call for the business to establish a common taxonomy for documenting and classifying scam typologies and individual scam events and will also call for considerate planning of data strategies and information flows within the business and across the ecosystem.

Guidance in The Draft Code

The Draft Code will introduce general and sector-specific provisions across banks, telecommunications providers and social media businesses.  The Draft Code envisions these sectors working in concert to identify scammers, exit them and prevent them from re-accessing services.

Implementing The Draft Code

With the introduction of cross-sector intelligence sharing, businesses will be called on to keep abreast of not only developments in their own sector, but also developments in other sectors.  

Guidance in The Draft Code

The Draft Code states a business must take all reasonable steps to prevent misuse of its services by scammers, and must seek to detect, block and prevent scams from initiating contact with customers.

Implementing The Draft Code

Businesses will need to establish a framework for evaluating intelligence and determining the circumstances in which the intelligence triggers the business’ threshold for taking down an account.  Such a framework will need to integrate into scam record keeping, and operationalise the resulting communique triggers to customers, third parties and regulators.  Customers will require an avenue to challenge any take-down decision, and a pathway to expunge their record internally and externally if their challenge is substantiated.

Guidance in The Draft Code

The Draft Code will require businesses to develop, maintain and implement an anti-scam strategy.  The Draft Code also sets clear expectations that a business must be able to act quickly on scam intelligence.

Implementing The Draft Code

As seen with cyber and other areas of financial crime, we can expect Australia’s fight against scams to change shape over time as we learn and react.  A key driver of the sharp rise in successful scams is the ability for scammers to quickly experiment and refine their use of artificial intelligence, and they can do so without the ethical tripwires, testing and controls business must apply in their own application of artificial intelligence.

As businesses embark on their assessments of the initial implications of the Draft Code, they will need to carefully consider how to organise the flow of internal and external scam intelligence.  In that consideration, businesses will need to consider where information flows will intersect their own artificial intelligence endeavours and automations of decisions, alerts and actions resulting from scam intelligence.

To Sum It All Up

The Draft Code is a welcome, necessary and substantial step forward in Australia’s response to societal harm from scams. The Draft Code will now be iterated and debated through the open consultation period and will prompt engagement from across sectors that will be required for Australia to ultimately progress a robust, multi-party and coordinated national defence against scams. In this regard, we believe that the Draft Code, and the complexity of both the threat and the policy environment in which it lands, highlights starkly the need for Australia to develop a unifying Economic Crime strategy (similar to that established by the United Kingdom). 

While the consultation process will result in change to some elements of the Draft Code, it makes clear the substantial shifts that are forthcoming and sounds the call for banks, telcos and social media to act now to ready their response.

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey