Allegra Spender (Wentworth, Independent) Share this | Hansard source

According to the explanatory memorandum for the Scams Prevention Framework Bill 2024, four per cent of Australians were impacted by scams last year—that's nearly one-in-25 people. When you talk to members of the community, it feels like many more. The combined total of the losses we know about reached $2.7 billion—enough money to fund the government's changes to HECS and HELP indexation this year.

These numbers are so hard to grapple with because they're so large—until it becomes personal. A young man recently contacted my electorate office, having fallen victim to an investment scam that cost him nearly $200,000. He's a bright, young guy, trying to build a future, who had worked hard and saved—and just like that, it was gone. Now he is under unimaginable stress, navigating regulators, local police and Interpol and receiving mental health support. This is the experience of a growing number of Australians.

They are no longer those obvious scams that I used to warn my mum about, I'll be honest. It is a case of everyday Australians, savvy Australians, people who know what they are doing and who are really thoughtful about trying to guard against scams, losing vast sums of money—home deposits, their life saving—through complex and sophisticated, organised crimes. It's not simple; this is organised crime. It is incredibly sophisticated. The things that people are trying to guard against in their normal, everyday life, the things that we've been warned against—those basic checks that we can make are just not cutting it anymore. These are not just my words to describe it, these are the words of the Australian Securities and Investments Commission Deputy Chair, Sarah Court, in testimony to the House Economics Committee last year.

Currently, there is nowhere to turn. Internal dispute resolution within organisations is patchy and varied, and there's an obvious and problematic information asymmetry that prevents its consumers accessing information that might prove an organisation has been negligent. These companies are not incentivised or obligated to disclose information that might support my constituent that I was just talking about. Instead, they play hardball, disclosing information only under the threat of legal action.

Testimony from consumer action groups include anecdotes of corporations dumping pages of legal documents on scam victims, days before the hearing, with the intention to overwhelm and befuddle. Meanwhile, the concurrent framework of external dispute resolution is a hodgepodge of interconnected regulators with large holes in their remits that ultimately serve to confuse, rather than help, victims of scams. It is through this lens that I review this bill. It may be that this bill has good intentions, that it assigns responsibility fairly across a scam ecosystem comprising banks, social media companies and telcos and that it creates rules and standards that are better than the status quo. But I want to know how it will work for people like my constituents. Does it offer them real opportunities for redress? Does it remove the information asymmetry that would be able to demonstrate corporate negligence? Does it incentivise corporations to do their utmost to protect their customers against criminals trying to access the money, or does it create minimum standards that absolve companies of their responsibilities to their customers?

While I am pleased that this bill will address the problems with external dispute resolution, I still believe there are significant weaknesses in the legislation that will undermine its effectiveness. We are operating on an article of faith in these codes that would take nearly two years to implement. It is just not good enough. I cannot vote against a bill that creates a better framework for external dispute resolution in place, but I hold serious doubts about the impact this bill will have on scam losses, prevention and detection without amendment. That's because the bill focuses on inputs rather than outputs. This bill will enable the Treasurer to designate economic sectors to be subject to legislation and make enforceable scam prevention codes. It will require regulated entities to take reasonable steps to put in place governance arrangements that will help detect, prevent, report and disrupt scams. It will also introduce a substantial civil penalties regime to be enforced by the ACCC for regulated entities that do not meet these codes. This bill will create greater precautions on the telcos and, particularly, social media companies.

While this bill falls short in key areas, I do agree that it will support a substantially better external dispute resolution approach than exists currently. Having gone through this with my constituent, I found it extremely difficult to understand what avenues are open, and I am pleased to see that this bill will create a single front door for scams. I acknowledge that this bill will provide clear guidance for how AFCA will be able to deal with and assess scam cases.

But the bill is not enough, because, ultimately, I think it fails to create incentive schemes that will force those with most visibility and resources to tackle these problems at their source. This legislation, as the government seeks to pass it, will not fundamentally address the information asymmetry that exists between banks and their consumers. There are measures that we can put in place to create a race-to-the-top approach, which is actually required, instead of implementing a floor. The evidence of this is buried in the impact analysis by the explanatory memorandum. This analysis states that the legislation will have minimum impact on the organisations above what is already being achieved under industry-specific policies, such as the Safe Scams Accord.

The Safe Scams Accord was implemented in 2023, with the greatest contribution being the inclusion of the Australian Financial Crimes Exchange, the AFCX, which allows organisations to share the details of scam activity and pay verification accounts. The pay verification will be rolled out through 2024 and 2025. This is fantastic, except that this technology has been in place in Europe since 2017. That's eight years now that people in Europe have been protected against these scams, while Australian banks have been dragging their feet. This is the concern that I have—that this bill does not sufficiently drive at the incentives in the banks and in the different actors to really stamp out the scams. It just brings them up to a minimum standard, which they can constantly try and pull back on.

However, the impact statement of the explanatory memorandum states that the regulatory cost between the SPF and the status quo is an initial investment of $100 million and an ongoing investment of $31 million. However, the impact analysis estimates that 70 per cent of this cost is accounted for by non-affiliated banks, with the four major banks expected to increase their funding by only $6.2 million in initial investments. That's just six per cent. Ongoing costs would be a measly $1 million and just one additional FTE, according to the EM. This is despite ASIC finding that the scam strategy and the governance of the four major banks was less mature than expected.

Let's come back to the first point that I raised. Australians are losing $2.7 billion every year on scams, and that is the stuff that we know about. Under this bill, banks will be expected to make a net contribution of $100 million in implementing the scams framework. While $100 million is a lot of money, $2.7 billion lost every single year is a vast amount of money for Australian consumers.

The point that I continually hear and I continually want to make is that this isn't about consumers being negligent. This isn't about consumers being silly or consumers falling for really silly tricks—for which, frankly, we all need to have 'buyer beware'. This is about organised crime targeting Australian consumers, using the most effective and sophisticated technology, constantly evolving and constantly getting better at targeting and getting money out of Australian consumers through scams, and the banks are not doing enough to fight this. Australia is one of the countries with the highest amount of per capita losses from scams. The banks here are not doing enough, and I am just not convinced that this bill creates that incentive strongly enough for the banks, where almost all the money has to go through, to be really racing to the top.

It's important to come back to the point that I raised before. If the banks were doing such a great job of this already, why has the account payee verification technology, which was being introduced last year and will be introduced this year, been in Europe since 2017? Why have Australians been so slow to get the benefit of that technology? Because the banks have not had enough incentive to do something about it. This code is a great thing, but the truth is that the banks know more about how to improve their technology to fight scams than the regulators know, and the banks need very strong incentives to really be imaginative, be innovative and fight scams. I do not believe that this bill has enough incentives in there; I think this bill is just another catch-up bill.

I know that the bill and the government have been clear in saying: 'Look, it's great. We're bringing in the social media companies, and we're bringing the telcos in. This is great.' I accept that, and I support that. But, again, let's look at the impact of this work. On page 153 of the explanatory memorandum, it states:

Under Option 2—

that is, the Scams Prevention Framework—

there are unlikely to be significant additional costs for telecommunications providers who are compliant with current obligations.

So it's basically saying that they're not going to have to do anything really different if they're compliant with current obligations. In that case, what is the bill actually going to do? The EM acknowledges that self-regulation has not yet worked, yet this bill will introduce minimal additional provisions on top of what these industries are already proposing to implement. Australian corporations, particularly banks, are investing a lot in relation to scams. I acknowledge this, but it is clearly inadequate. Instead, this bill will give corporations a basic set of minimum standards, which will be quickly surpassed by scam innovation, to allow them to demonstrate to consumers that they have met their obligations. So banks will say they've met their obligations, and consumers are still going to get scammed.

The impact analysis of this legislation is also missing any consideration of a UK style reimbursement model. While I hold reasonable reservations about a complete reimbursement model, I think that this bill has completely failed to even consider stronger options and compromises, such as those brought forward by a coalition of consumer groups, including a presumption of reimbursement. The evidence emerging from the UK, despite the arguments over data, is that the scheme is working. I would have liked to have seen a stronger option modelled in the explanatory memorandum.

Given that, this bill, in its current form, needs to be substantially strengthened. Principally, it needs to explicitly address the information asymmetry that exists between regulated entities and consumers and incentivise regulated entities to innovate and combat scams above and beyond what is simply required. I acknowledge the minister's offers and assurances that some of these requirements will be included in the codes, but I'm not entirely convinced by the reasoning for why these cannot exist in the primary legislation. I believe that this bill leaves too much to the regulations and operates too much on faith. Australians have given up faith on this. That is why I will be moving an amendment to this bill that will seek the publication of scam data—including information about scams detected, responded to and reported—from all regulated entities on a quarterly basis. This model is currently used by the Payment Systems Regulator in the United Kingdom, where institution-level data on banks is published, and there is no suggestion that publishing this data has had unintended consequences.

The explanatory memorandum outlines that industry self-regulation is occurring in some sectors, but not at a pace consistent with growth in scam activity. Let's let Australian consumers make informed decisions about who is best placed to look after their money and who is actually protecting them best against scams. Let's make scam prevention a point of competitive tension in the system, rather than a tick-box exercise. While I will trust the regulation to appropriately determine exactly what metrics are reported by each sector, I believe that this can be explicitly included in the regulation.

I want to come back to this: what can the country do to fight against scams? One thing that the country and this parliament can do to fight against scams is make sure that consumers are armed with the best information they can possibly have when choosing where to put their money. It's about knowing which banks are doing a good job to fight scams and which banks need to pull up their socks. That allows consumers to make informed choices when they are faced with organised crime that is driving scams and making it so hard for consumers themselves to detect scams. The government should include this in the primary legislation. That is something that the government can do right now to protect our consumers. I'm still flabbergasted that, at this stage, they haven't.

I also welcome the amendments made by the member for Warringah, which will go some way toward reducing the information asymmetry that currently exists. Under this amendment, which the government has agreed to implement, regulated entities will need to provide certification of obligations within a set timeframe of scam complaint or face civil penalties. I will be closely scrutinising the certification process as it emerges through the regulation to ensure that it is robust and meaningful. These amendments should be minimum requirements.

In conclusion, this bill will substantially improve the external dispute resolution processes from a virtually non-existent baseline, so I will support it on that basis. But the assertion that this will make a really significant difference in terms of reducing scams and scam losses, drive meaningful levels of investment and, ultimately, better protect consumers is, in my mind, highly questionable. This legislation ignores the calls from a consortium of consumer groups, instead taking a pragmatic and, ultimately, soft approach to implement a modest improvement over what we already have.

See this speech in context