House debates

Thursday, 7 November 2024

Bills

Scams Prevention Framework Bill 2024; Second Reading

9:22 am

Photo of Stephen JonesStephen Jones (Whitlam, Australian Labor Party, Assistant Treasurer) Share this | | Hansard source

I move:

That this bill be now read a second time.

International crime organisations are targeting Australia. There is a scam pandemic, and it is costing billions. The previous government left Australians to fight this on their own. This is about to change. The Scams Prevention Framework Bill 2024 establishes a world-leading, whole-of-ecosystem approach to combat scams in the Competition and Consumer Act 2010.

This bill will lift obligations on industry, enable enforcement action by regulators and deliver strong protections for consumers.

It will make Australia one of the toughest places in the world for scammers to operate.

The human impact of scams

Over the last two years, I have talked to literally thousands of Australians across the country, from Cairns in the north to Hobart in the South, from Melbourne to Perth and all the places in between.

In every room, so many people have been touched by the scourge of scams.

Allow me to share just a few of these stories:

Investment scams

Mark received advice from what he thought was a legitimate financial advice advertisement which encouraged him to invest in cryptocurrency.

Mark was encouraged to set up multiple accounts to transfer his investment into. After three payments, he started to get concerned that nothing was appearing in his cryptocurrency account.

He was told that he had insufficient funds in the account so needed to make another payment for the crypto to appear.

It was only then that he realised that he'd had over $5,000 stolen by criminal scammers.

Romance scams

Sam had thousands of dollars stolen in a romance scam. They met online before quickly moving to communicate by text and email. This went on for several months. There wouldn't be an MP in this place who has not had representations from constituents concerning romance scams, and I'm sure we all agree they break our hearts.

In this case, the criminal scammer claimed to have been locked out of his bank account and needed urgent funds as his sister had been rushed to hospital.

It was only after transferring more than $14,000 that Sam realised the scammer had been impersonating somebody else.

The money was stolen with limited hope of getting any of it back.

Online s cams

Then there was Nick, who found a vehicle advertised online and contacted the seller to make arrangements to purchase it.

The criminal scammer sent through an official-looking invoice and payment details and Nick transferred $18,000 to the account to purchase the car.

The car was being shipped from interstate, accordingly, and the arrival date came and went, but no car arrived.

The money was stolen with limited hope of getting any of it back.

These stories, and thousands like it, are the product of a non-existent legal framework which has abandoned consumers and does not require businesses within the scam ecosystem to disrupt and prevent scams.

The s cale and n ature of the p roblem

These stories point to a criminal pandemic with deep economic and social consequences. It's not a new problem. Losses had been increasing every year since 2016. They became supercharged during the pandemic.

In 2021, scam losses increased by a whopping 84 per cent.

In 2022, an extraordinary $3 billion was lost to scammers—a 75 per cent increase on the previous year.

When the Albanese government came to office, scams were out of control and urgent action was needed. A business-as-usual approach could have seen losses approach $6 billion if the previous trends had continued.

We moved quickly to establish the National Anti-Scam Centre, a sender ID registry, and a website take-down capacity within ASIC. We worked with banks to cut transfers to high-risk crypto exchanges.

The early results have been good. In 2023, scam losses did not increase as they had under the previous government. In fact, they decreased for the first time in nearly a decade—one of the only countries in the world where that happened. But—at $2.74 billion—this is still an extraordinary amount of money stolen by scammers.

Some people still think of scammers as con men peddling easy-to-spot schemes and that, if you get scammed, you're a mug; it was your own silly fault. That was the approach that was taken by the former government. It was a private problem. There was no need for a public intervention.

In this framing, it's really easy to blame the victims for falling for an 'obvious' scam.

However, it's an outdated view. Scams have been industrialised by sophisticated, transnational criminal organisations.

I want to give the House a sense of the magnitude and industrialisation of these operations. In May this year, a report prepared by the ASEAN-Australia Counter Trafficking program looked at the relationship between human trafficking, forced labour and the cyberscam industry in one country alone, in Cambodia—just one country. The report found as follows:

As many as 100,000 people from around Asia, and as far away as East Africa, are trapped in cyber-scam compounds around the country. In these guarded compounds, thousands of individuals, many of whom are recent university graduates, are forced to engage in cybercriminal activities, ranging from romance and cryptocurrency scams to online gambling and fraudulent investment scams, for up to 16 hours per day.

This is a business model that must be broken. It must be broken.

The criminals don't discriminate. There are scams targeted to specific demographics: ticket scams for concert goers, investment scams for retirees.

If you have a phone, an email address, a social media account, or a bank account, you're a target. Older Australians are a major target of investment scams, and they are losing the most.

International response

International criminal activity of this scale requires a coordinated international response, and we've prioritised our relationships in this area.

Earlier this year, I attended, on behalf of the government, the first international summit convened in the United Kingdom. Signatories to the communique from that summit committed to working together to improve our cooperative efforts, including in the areas of intelligence sharing and money recovery.

I have followed this up in our region, including in a recent visit to Singapore with our colleagues from New Zealand and from the banks where we met with regulators, the Singapore Anti-Scam Centre, digital platform providers and a range of other stakeholders.

We exchanged information and ideas on regulatory and law enforcement responses to the challenge.

These are all important initiatives.

But there are limitations to traditional law enforcement approaches.

The Scams Prevention Framework Bill

This bill sets out what we can and must do here in Australia.

The bill's about prevention—and has the consumer at the centre of our approach. It looks across the scams ecosystem which has a requirement to take the fight up to the scammers. The best approach is to protect the consumer before the scam occurs.

It also provides a clear pathway for redress if a victim is scammed.

The Albanese government believes that the government must play an active role in keeping Australians' money and their information safe.

I've spoken about the first phase of our work—the establishment of the National Anti-Scam Centre (NASC). It's an investment in consumer protection infrastructure to bring together the expertise and capability of government agencies, law enforcement and the private sector to detect and disrupt and prevent scams. The NASC is a function operated within the Australian Competition & Consumer Commission. It will have a key role in the information exchange in the operation of these new laws.

The bill is the next phase. It's phase 2. It establishes the legal framework setting out the legal obligations for business. The Scams Prevention Framework—or SPF, for short—will drive a significant uplift in the obligations and expectations on business to keep the Australian community safe.

Key features of the framework include:

            The definition of scams

            Preventing scams means understanding the nature of the threat. Scam activity is quickly evolving and becoming increasingly sophisticated and diverse. There are many different methods that scammers use to harm the community.

            The bill recognises this in the definition of scams, by setting a broad definition to capture the wide range of activities which may form part of the deceit and manipulation used by scammers. They are deceptive attempts to engage a consumer, which if successful would cause loss or harm, such as by obtaining personal information or a financial benefit, from the consumer or their associate.

            The SPF seeks to stop scammers at every step in their deceptive activity, and therefore captures both successful scams which have caused loss or harm, and scam attempts which have yet to result in a loss or a harm.

            Who is protected?

            The bill is about protecting consumers, broadly defined. We've had representations from small businesses who say they too are victims of scams.

            This includes people or small businesses that are provided services by regulated businesses in Australia, as well as people ordinarily residing in Australia that may use a service outside of Australia, where that service is provided by a regulated entity in Australia.

            Who are the regulated entities?

            On a number of occasions this morning, I have described our prevention approach as whole of ecosystem. This is a really important concept in the preparation and operation of these laws. Our banking system is part of that ecosystem, but there is much more to it.

            In December last year the peak international body for consumer organisations issued a statement which called on governments to take this ecosystem approach. In that statement, they said:

            We are calling on governments to ensure adequate protection against the growing risks of scams on technology platforms. Governments should require platforms to take effective action in the prevention, disruption and detection of scams, which should be continually improved. There should be significant consequences if technology platforms fail to meet the following essential requirements …

            The essential requirements set out in that statement include measures, disruption strategies and response and support for victims of scams. I note that this statement is endorsed by the Australian consumer organisations Choice and the Consumer Action Law Centre.

            The Albanese government wholeheartedly agrees. The SPF will do just this.

            Just last month the UK's peak consumer body called on their government to implement a cross-sectoral scams- and fraud-reporting framework, a framework that joins up intelligence from government, telecommunications, banking and social media sources.

            Again, the government agrees. This is exactly what the SPF will achieve.

            The scam ecosystem looks at the environment in which scams are generated, how they are transmitted, how they reach their intended victim and the location of the money or information which is the end goal of the criminal.

            While scam techniques will change over time, they are overwhelmingly distributed through a publication on a social media platform, a call or message sent over the telecommunications network, and a transaction through a bank account—key parts of the ecosystem.

            We understand that the vectors and targets of scam activity will change over time. This is why the bill provides the responsible Treasury minister with the power to designate a sector of the economy that will be subject to the obligations of the Scam Prevention Framework.

            Once a sector is designated, the minister will be able to make an enforceable SPF code that provides the designated sector with prescriptive obligations tailored to that sector. The obligations are all about keeping their customers safe from scams.

            The government will designate telecommunication providers, banks and digital platform services relating to social media, paid search engine advertising and direct messaging initially. We won't stop there.

            Each of these sectors represents a significant vector for criminal scam activity.

            The SPF is responsive and adaptable, enabling other sectors to be designated in the future. We have put the superannuation, insurance and cryptocurrency industries on notice that they will be fast followers.

            They do not have to wait for government designation to start the hard work of improving their consumer protections.

            SPF principles

            The SPF principles set-out requirements for regulated entities to implement governance arrangements to combat scams and take reasonable steps to prevent, detect, report, disrupt and respond to scams.

            SPF principle 1: governance. Regulated entities must document and implement policies, procedures, metrics and targets for combating scams.

            SPF principle 2: prevent.Regulated entities must take reasonable steps to prevent scams. It's on them; they must take reasonable steps to prevent scams within their businesses. This is aimed at stopping scams from reaching or impacting their customers.

            For banks, this will mean enhanced verification procedures, such as confirmation of payee for transactions. For digital platforms, this will require strict advertising policies and require them to verify and validate their advertisers. Is the business legitimate? Is the person placing the ad an authorised representative of that business? If this can't be validated—then no ad shall be posted.

            SPF principle 3: detection.Regulated entities must take reasonable steps to detect scams both as they are happening and after they've happened. This may include implementing systems and processes to identify suspicious activity, timely investigations of actionable scam intelligence and identifying consumers that may be impacted. Under this principle, a hands-off, 'it's not our responsibility' approach will not be acceptable. That was the previous approach. It is not the approach under this government.

            SPF principle 4: report.Regulated entities must share actionable scam intelligence with the Australian Competition and Consumer Commission (ACCC), who may then disclose that information to other parties including other regulated entities, regulators, and law enforcement to drive timely disruptive action in response to scam activity. Reporting is a key part of this framework because it involves us collecting that information and enabling real-time intelligence sharing amongst designated sectors.

            The bill makes clear that actionable scam intelligence covers information where it is reasonable to suspect that a communication, transaction or other activity is conduct related to a scam. So there is an obligation on regulated entities not only to prevent and not only to detect but to report activity on their network. This is important because a scam communication that is sent throughout one telecommunication provider network might be known within that telecommunication provider's network but might not be known across another network and won't be known within a banking system. So we need to ensure that intelligence is shared on a mandatory basis across all participants within the scam ecosystem.

            The bill makes clear that actionable scam intelligence covers the relevant information so that businesses can respond accordingly.

            SPF principle 5: disruption.Let me talk about disruption. Again, a hands-off approach is no longer going to be acceptable. Regulated entities must take reasonable steps to disrupt an activity suspected of being a scam and prevent losses to their consumers. They must take action to disrupt activity suspected of being a scam and prevent losses to consumers. When I reflect upon this principle, I'm reminded of the recent HSBC scam that went on for months, and, had these laws been in place, I can guarantee that the losses accrued to Australians and, in fact, citizens elsewhere in the world would've not occurred because there would have been a legal obligation on that bank to take a proactive action to disrupt the scam and take more action to protect their consumers and their customers.

            The legislation provides a 28-day protection (a safe harbour, if you like) for regulated entities taking proportionate action to disrupt scams in good faith. The safe harbour protection enables timely and decisive disruption action, whilst setting clear guardrails and parameters to ensure that third parties are protected from ongoing disruptive action where they are not involved in a scam activity.

            Detecting and disrupting scams will require investment in advanced monitoring systems and prompt content removal or other relevant disruptive action. It will also involve providing consumers with better education and awareness activities.

            SPF principle 6: respond.Regulated entities must have an accessible way for consumers to report scams, to raise a complaint about a scam or about the regulated entities conduct relating to scam activities.

            There must be internal dispute resolution processes. These are intended to provide regulated entities with an opportunity to assess their conduct and resolve the consumer's complaint in a timely manner—not optional, mandatory. Banks have them in place at the moment. Most telecommunications companies have them in place at the moment. In social media platforms, try and find a front door to raise your complaints if you suspect that you've been a victim of a scam—almost impossible.

            Regulated entities must have regard to processes prescribed by the SPF rules and any guidelines for apportioning liability arising from the complaint.

            Regulated entities must also be a member of an external dispute resolution scheme authorised by the Minister which provides consumers a clear pathway to escalate scams related complaints and seek redress.

            The government has announced that it intends to authorise the Australian Financial Complaints Authority (AFCA) as the single external dispute resolution scheme for the three initial sectors to offer an independent, free, impartial and fair mechanism for consumers to escalate their complaints and seek redress. AFCA will be required to report serious and systemic scam issues to regulators, as well as report circumstances where parties fail to give effect to a determination in a complaint case.

            This will provide clear reporting channels and support for victims. It will also embed transparency and accountability in the process. No such complaint mechanism exists for most scam victims at the moment. This will change.

            Codes

            The SPF principles will be supported by SPF codes tailored for each regulated sector.

            An SPF code will set out detailed obligations specific to a regulated sector. This recognises that each regulated sector faces unique challenges with respect to scams and enables obligations to reflect those relevant circumstances. I've already reflected upon some of the contents of those codes. They'll be different for banks to telecommunications companies to social media platforms because the vectors are different, the threats are different, but the obligation to ensure that they are keeping their customers safe will be the same.

            The obligations in an SPF code are not intended to be an exhaustive list of requirements that an entity must follow to comply with SPF principles.

            SPF codes create only minimum standards for that sector, which an entity may be required to go beyond to comply with the SPF principles where it is facing a specific, targeted, and heightened risk of scam activity related to its regulated services.

            Regulation and Enforcement

            The bill establishes a multiregulator model for regulation and enforcement which recognises existing regulatory relationships and the existing roles and expertise of various regulators which is valuable for the effective administration of tailored sector obligations. Under the laws:

                  The bill imposes strong incentives for regulated entities to prevent, detect and deter scams. Maximum civil penalties—which are currently set at over $50 million per breach—may be imposed in regard to obligations where breaches would be the most egregious and have the most significant impact on consumers.

                  High penalties are intended to be an effective incentive for compliance across all sectors of the economy and provide a deterrent where higher possible gains could be made by regulated entities by breaching the SPF.

                  Regulators will also be able to use other compliance tools such as infringement notices, enforceable undertakings, injunctions, public warnings and remedial directions. Additionally, regulators could seek redress for harm or damages on behalf of victims where they pursue court action for the breach of an obligation (s58FZC(2)).

                  Consumers can also bring claims in court to recover loss or damages. Where this occurs courts will be able to consider the role of multiple service providers connected to a scam and apportion liability between them. Courts are required to prioritise payment of redress to the scam victim over payment of penalties for breaches (s58FD).

                  The SPF is being introduced as part of a broader effort to modernise Australia's laws for the digital age and the consumer protection agenda—and I pay tribute to my other colleagues who are working in this area, including the Minister for Home Affairs, the Attorney-General, the Minister for Finance and the Minister for Communications. This includes reforms to Australia's:

                                  The bill will also support the government and industry in international engagement and collaboration by enabling the sharing of scam intelligence across regulated entities, law enforcement and regulators in Australia, and supporting international enforcement action to disrupt illicit scam activities.

                                  Finally, the Legislative and Governance Forum on Corporations was consulted in relation to the bill and has approved them as required under the Corporations Agreement 2002.

                                  I want to take this opportunity to thank the colleagues from Treasury who are present in the chamber, who have been working hard over the last year and a half on all the policy work and the legislative preparation to ensure that this bill could be brought before the House today. I also want to pay tribute to those bodies that will be regulated entities once this bill passes into law. There has been extensive consultation with the telecommunications sector, the banking sector, social media, peak and individual organisations, and, of course, all of the consumer groups, together with colleagues from across the House.

                                  This is an important piece of law. As it stands today, if trends continue, Australians will lose an average of $7 million a day to criminal scams. That imposes a very high obligation on all of us in this place to ensure that this bill is passed into law. It can be done by the end of the month. If it is done by the end of the month, we can ensure that consumers can go into Christmas with peace of mind, knowing that they live in a country which has the strongest scam prevention laws of anywhere in the world.

                                  I commend the bill to the House.

                                  Debate adjourned.