Policy & Regulation

Australia's Scam Laws: The Scams Prevention Framework Explained

In February 2025 Australia passed a world-first law forcing banks, telcos, and social media platforms to prevent, detect, and disrupt scams — or pay. Here is what the Scams Prevention Framework actually does, and what it means if you have already been scammed.

3 min read
Table of Contents

Australia took a different route from the UK. Instead of ordering banks to refund every scam, it passed a law making banks, phone companies, and social media platforms legally responsible for stopping scams across the whole chain — the fake ad, the spoofed text, and the payment. It is called the Scams Prevention Framework, and it is one of the most ambitious anti-scam laws in the world.

Jurisdiction matters.

This guide covers scams involving Australian banks, telcos, and platforms. If you paid from a UK account, the UK's mandatory reimbursement rules are far more generous; the US and Singapore differ again.

What the Scams Prevention Framework is

The Scams Prevention Framework (SPF) passed Parliament on 13 February 2025 as an amendment to the Competition and Consumer Act 2010. Rather than a single rule, it sets legal duties on the businesses scammers rely on to reach and pay victims.

$50M

maximum civil penalty per breach

SPF

3 sectors

banks, telcos, digital platforms first

6 duties

govern, prevent, detect, disrupt, respond, report

The framework is built on six overarching obligations. Regulated businesses must:

  1. 1

    Govern

    Put senior-level anti-scam systems, policies, and accountability in place.

  2. 2

    Prevent

    Take reasonable steps to stop scams reaching customers — for example, verifying advertisers or checking payee names.

  3. 3

    Detect

    Actively identify scam activity, high-risk transactions, and known scam signatures.

  4. 4

    Disrupt

    Act quickly to interrupt scams in progress — hold suspicious payments, take down fraudulent content.

  5. 5

    Respond

    Handle reports, support victims, and act on intelligence from other businesses and regulators.

  6. 6

    Report

    Share scam data with the National Anti-Scam Centre so patterns can be tracked across sectors.

Who enforces it — and how victims get redress

The SPF is overseen by multiple regulators: the ACCC (through the National Anti-Scam Centre) leads, with ASIC and the ACMA covering finance and telecommunications. Breaches carry civil penalties of up to $50 million.

Crucially for victims, the framework includes a private right of action and external dispute resolution through the Australian Financial Complaints Authority (AFCA). This is the key difference from the UK: Australia does not guarantee a refund for every scam. Instead, if a bank, telco, or platform failed its legal duties and that failure contributed to your loss, you can seek compensation — through AFCA or the courts.

No automatic refund — yet.

Under the SPF, reimbursement is tied to fault. You generally recover when a regulated business breached its obligations, not simply because you were scammed. That makes documenting how the scam reached you — the ad, the platform, the payment path — especially important.

The timeline: not fully live yet

The law has passed, but its teeth arrive in stages:

MilestoneDate
SPF passed Parliament13 February 2025
SPF rules commence1 September 2026
Full sector obligations enforceable31 March 2027

In the meantime, the banking industry's voluntary Scam-Safe Accord is already rolling out measures like a confirmation-of-payee name-check service, so that a transfer to "John Smith" warns you if the account name does not match.

What to do if you were scammed in Australia

  1. 1

    Contact your bank immediately

    Report the fraud and ask them to attempt to recall or freeze the funds. The faster you act, the more likely money can be stopped before it moves.

  2. 2

    Report to Scamwatch and ReportCyber

    File with Scamwatch (run by the National Anti-Scam Centre) and ReportCyber (police). Reports feed the intelligence that drives disruption across the framework.

  3. 3

    Complain to AFCA if your bank falls short

    If your bank did not meet its scam duties, lodge a free complaint with the Australian Financial Complaints Authority.

  4. 4

    Preserve the evidence

    Keep the scam ads, messages, fake platform screenshots, and transfer records — they establish both your loss and where a business failed.

If crypto was involved, the same fundamentals apply everywhere: report fast, keep records, and understand how stolen crypto is traced and whether it can realistically be recovered before paying anyone who promises to get it back.

Frequently asked questions

Does Australia have to refund my scam like the UK does?

Not automatically. The UK mandates reimbursement for most authorised push payment fraud; Australia instead penalises banks, telcos, and platforms that fail their anti-scam duties and lets victims seek compensation through AFCA when those failures caused the loss.

The scam started with a fake ad on social media — does that matter?

Yes. A distinctive feature of the SPF is that digital platforms, not just banks, carry legal obligations. Where a platform failed to prevent a fraudulent ad or account, that can form part of a claim.

Is the framework fully in force?

No. The rules commence on 1 September 2026 and full sector obligations become enforceable from 31 March 2027, though voluntary industry measures like confirmation of payee are already appearing.

How does this compare to my rights elsewhere?

Very differently. See our guides to UK bank reimbursement, Singapore's anti-scam laws, and where the US stands.

Key takeaways

  • Australia's Scams Prevention Framework (Feb 2025) makes banks, telcos, and digital platforms legally responsible for preventing scams.
  • It imposes six duties — govern, prevent, detect, disrupt, respond, report — backed by penalties up to $50 million.
  • Redress is fault-based: you generally recover when a business breached its duties, via AFCA or the courts — not an automatic refund.
  • Full obligations are phased in through 2026–2027; voluntary measures like confirmation of payee are already live.
  • Report to your bank, Scamwatch, and ReportCyber immediately, and complain to AFCA if your bank fell short.

Know someone who needs this? Share it.

Scambulance will never ask for your private keys, passwords, or seed phrases. Anyone promising guaranteed fund recovery is likely a scammer.

Were you the victim of a crypto scam?

Knowledge is your first defense — but if it has already happened, the most important step is reporting it properly. Scambulance guides you through every step, free.