Kate Chaney (Curtin, Independent) Share this | Hansard source

Scams are a huge problem and absolutely need to be addressed in legislation. This bill, the Scams Prevention Framework Bill 2024, is a good start, but I don't think it goes far enough in considering the experience of the victim. But, in the spirit of pragmatism, I'll be supporting it.

Some of the first constituent stories I heard after being elected were from people in my community who'd been the victims of scams, and it's such a significant issue for my constituents that I've spoken about the issue of scams a number of times in parliament. In 2023, I told Lisa's story. Lisa lost $750,000 in a scam where she set up an account with the ING Bank, or at least she thought she did, only to discover that the account was fake. I also spoke about John, who lost $2.7 million in an elaborate scam when he relied on a broker for his investments and it turned out that the broker was actually a fake company. Last year, in 2024, I told Tim's story. His mum lost $800,000 in a scam that actually resulted in a capital gains tax liability, even though she'd been scammed out of the assets. Because this issue of scams is so important to my community and to all Australians, I, along with the member for Kooyong, co-founded the Parliamentary Friends of Scams Protection so that MPs and senators from across the floor could meet and try to find some better ways of addressing this growing problem.

The magnitude of scam losses is hard to believe. CHOICE tells us that nine out of 10 people have come across what they suspected to be a scam in the last 12 months. In 2023, Australians lost an astonishing $2.74 billion to scammers. It has dropped a bit recently, but that's nearly three times what it was in 2020. In 2023, Australians lost more than $5,000 per minute, and that's just the scams that were reported. The vast majority of scams are not actually reported.

The Australian Competition and Consumer Commission says investment scams were the highest loss category, followed by remote-access scams and payment redirection scams. Traditional electronic bank transfers remain one of the most commonly reported means of payments to scammers, but social media scams are apparently the most profitable. The Australian Securities and Investments Commission has found that banks only reimburse between two and five per cent of customers affected by scams—so, really, a tiny proportion of the losses that are occurring. Right now, there's no clear obligation on banks, telcos or social media platforms in relation to scams management. That's all to say that the introduction of a scams protection framework in parliament is essential.

I acknowledge the work done to date. The National Anti-Scam Centre was set up in July 2023. It has a mandate to disrupt scams before they reach consumers, and that's starting to make some impact. But, as fast as we work to stop scams, the scammers keep innovating, and the scams evolve even faster, so it can feel impossible to keep up.

That brings me to the bill, which is a welcome addition to the network of scam prevention measures, but it could be better. What does it actually do? It introduces mandatory sector-specific codes to protect Australians against scams. The framework will first apply to banks, telecommunication companies and digital platforms, but the minister could consider adding additional sectors as the framework develops and as scams continue to evolve. This bill attempts to protect the vulnerable by creating obligations on those providers. The bill sets out obligations for businesses that are providing services in one of those three regulated sectors to do a few things: proactively take reasonable steps to detect, prevent and disrupt scams; report to the ACCC about actionable scam intelligence and scam responses; and establish internal dispute resolution processes and join an external dispute resolution scheme to resolve customer complaints for scams. If they don't comply, they may face significant civil penalties. It also sets out the ACCC as the framework regulator, and individual sector regulators can be designated by the minister. The minister can also make codes for each regulated sector.

There are some good things about this approach that I first want to talk about. We absolutely need the regulation. We absolutely need a simple, clear regulatory framework that can be understood by both businesses and consumers. It needs to be as clear as possible for business to implement measures and as simple as possible for consumers to access help. Some of these principles are addressed here and some have some work to be done.

I agree with the government's approach to base the framework on principles. It's such a big problem, and it's evolving over time, so we need a broad set of principles on how entities will work to protect consumers. Under the framework, regulated entities are required to publish policies about how they'll respond to scams in relation to the principles of governance—prevent, detect, report, disrupt and respond. I think it's important to regulate this issue as a progressive problem. It will keep changing. Each entity must take reasonable steps to prevent and protect, and to disrupt scams.

I also appreciate the single-door approach to scams regulation. We need to make scams prevention as accessible as possible for consumers. The Australian Financial Complaints Authority has jurisdiction to deal with all scam disputes involving banks, telcos and digital platforms, which will hopefully reduce red tape and complexity.

I support the safe harbour provisions. The legislation allows for a 28-day safe harbour protection for regulated entities to take proportionate disruptive steps to respond to concerns. This may feel like a long time for consumers, but I support the advice of stakeholders that the objectives of the framework can only be achieved if regulated entities feel empowered to take strong and timely action to block activity that they suspect may be a scam but where they don't have sufficient information to be certain the activity is a scam. The safe harbour provision will help with that.

There are a number of things in the bill that concern me. Prevention is really important, and we absolutely need to do that work, but this legislation should create a really clear path for victims if they're scammed. Scams will never be stamped out completely. It needs to be obvious and clear for victims who have already experienced a loss what they can do to get compensation. I have concerns in three areas: the compliance approach, the onerous dispute resolution mechanism, and the onus being on the victim. As drafted, this legislation is designed for businesses to take a minimum standard compliance approach rather than incentivising innovation to keep up with scammers who are always steps ahead. I think that's a problem. The dispute resolution mechanism is complicated, expensive and onerous for the consumer. It requires the consumer to go through an internal dispute resolution process first with the regulated entity before escalating their complaint to an external dispute resolution mechanism.

The Australian Law Society said in its submission that directing scams to internal dispute resolution processes before they go external would result in a poor and frustrating experience for victims. Perhaps the most concerning part of the legislation in front of us is that the onus of proof is very much on the consumer or the victim of the scam rather than the organisation that allowed the scam to happen. So the person who had the money stolen from them, despite the requirements of the banks or telcos to stop it, is required to show that the bank, telecommunication company or digital platform didn't do enough. The vulnerable victim has to take on the business to prove that the institution didn't meet the requirements.

This seems very challenging for a consumer who has just suffered a loss—which could be considerable—to then have to navigate the legal system to prove the scam is the fault of the bank telco or digital platform. Reversing the onus of proof so that the bank, telco or digital platform must show its reasonable steps would be a more consumer focused approach where there's significant asymmetry of information. The banks and telcos will know a whole lot more about what steps they've taken and what they could take than the consumer, who's looking at it all from the outside.

Where a scam could be avoided by multiple parties—that is, a bank, a telco and a digital platform—the risk of the scam harm should be allocated to the party that can avoid the scam harm at least cost. In almost all circumstances, the parties best placed to eliminate or mitigate scam risk would be banking, telecommunications and digital platform companies. This is because, first and foremost, they have control over the architecture and design of their systems and processes.

Another way of dealing with it would be a mandatory reimbursement model. Under the UK model, UK banks will be required to reimburse up to a maximum of about $166,000 unless the consumer acted with gross negligence. If you've brought it on yourself and it's entirely because of your action, then there's no mandatory reimbursement. Otherwise, you will get reimbursed. Instead, Australian consumers can obtain compensation via the AFCA or by exercising their private right of action for damages against regulated firms if and when they can establish a breach of those legal requirements.

Australia has the opportunity within this framework to aim far higher and become a world leader in preventing and disrupting scams and responding to innocent people and families whose lives are markedly changed by scams. Having heard so many stories from consumers in my community and considering how hard it can be to navigate the dispute resolution process, I don't think this proposed legislation puts the interests of the victims first and foremost.

In conclusion, I appreciate the minister's engagement with me personally on this issue and with the crossbench on the government's broad response to scamming. I recognise the importance of introducing an overarching framework and proposed industry codes for banks, telcos and digital platforms. It's absolutely a great start, but it doesn't focus on the experience of the victim enough. In the context of a complicated and evolving space, while scammers continue to innovate, the framework still ensures the onus is on consumers to navigate that system and prove that the bank, telco or digital platform failed them. Shifting this onus onto the companies with the information and the scale would create better incentives for companies to continue to innovate on how they prevent scams. But, in the spirit of pragmatism, this framework is better than nothing, and it's definitely an improvement on the existing approach. I won't let the perfect be an enemy of the good, and on that basis I will be supporting this legislation. But there is a clear opportunity there, perhaps in the future, to make this go further to protect Australians better.

See this speech in context