Luke Howarth (Petrie, Liberal Party, Shadow Assistant Treasurer) Share this | Link to this | Hansard source

The regulator sector says it is difficult to understand how these obligations will be interpreted by the regulator or by AFCA when consumer redress claims are made. This is particularly difficult when the prescriptive content of the codes that will sit alongside and inform these principles are still unknown. The Customer Owned Banking Association, COBA, summed up these concerns well, saying, 'The complexity of these obligations evidences why the codes must be created before designation, as key details on how to comply with the principles will be within these codes, without which our members will lack clarity in how to meet their obligations under the framework.'

Stakeholders have also raised significant concerns about the risks of being compliant with a mandatory code that's still in breach of the primary legislation principle. On this point, the ABA has said that in some cases there is no assurance that these requirements would effectively reduce scams, and the breadth of certain terms in compliance requirements may create uncertainty that could hinder large-scale investment aimed at preventing and detecting scams. To address this issue, some stakeholders have encouraged greater use of the targeted codes, with the primary legislation being focused on enabling the framework rather than it being a pseudocode containing its own potentially conflicting obligations.

It seems like the government hasn't been able to get all the work done and has resorted to this stopgap approach so that it can look like it's delivered on its commitment.

On this point I also question why the government has not been able to bring forward and consult on the designations and codes alongside the primary legislation. It took almost 18 months to even put forward a model for scams prevention and 2½ years to finally bring forward legislation, and it's not even enacting the full framework; it's just enabling legislation. The framework relies heavily on delegated legislation, but everyone has been expected to wave this bill through and hope for the best. Significant detail is missing. The government managed to do this when it brought forward the buy-now pay-later legislation. It still hasn't passed, but the regulations were available for consultation before its introduction. I wonder if this wasn't possible because the work simply hasn't been done in 2½ years. Where are the mandatory codes?

There is already a code-making power in the Competition and Consumer Act for the government to prescribe mandatory industry codes. These existing codes include the Franchising Code of Conduct, the Unit Pricing Code and the Dairy Code of Conduct. The minister could already have mandatory scams codes in place with this act. Instead his choice to overengineer for the sake of having a bill to wave around in parliament and to squeeze another announcement out has delayed action—that's the concern here. The minister himself admits he doesn't get given enough drafting resources, but he still decided to use the most drafting-intensive and slowest approach to make these codes. This process has been back to front, and consumers have waited too long as a result.

Even more bizarre is the regulation impact analysis that has been tabled with the explanatory memorandum. According to the government's explanatory materials, there are 'regulatory compliance costs of around $228.8 million in the initial year of operation and $88 million for each year ongoing'. However, this compliance burden appears to be grossly underestimated, based on some of the costing assumptions that have been used.

Here are a few of the strangest. There's 1.1 full-time equivalent staff required for a major bank to uplift antiscam activity and governance improvements. I was talking to a guy from ANZ today who told me they currently have 400 full-time people on scams—you know, the bank with the little hawk or the eagle on the ads—1.1 full-time equivalent staff, with this legislation? Come on! There's a $40,000 initial technology investment required for a major bank to comply with the info-sharing and reporting obligations, and $20,000 ongoing; a $40,000 initial investment in staff for a COBA member bank, a smaller bank, to administer antiscam activity and governance improvements, and $10,000 ongoing; and a $100,000 initial investment for a major telco to uplift antiscam activity and governance, and $50,000 ongoing. When the Assistant Treasurer spoke at the Press Club, he said that this framework will not be the bare minimum. Well, based on these assumptions, it looks a lot like the bare minimum to me.

A short conversation with any regulated entity would debunk these assumptions immediately. Either the government expects minimal uplift and investment from these regulated entities, or it is cooking the books by understating what the real compliance costs will be. I only mention this because we all know that, when there are compliance costs in place, they all get passed on to every user. This isn't just an oversight; this is a document signed off by the minister and tabled in parliament with the explanatory memorandum. Impact analysis is important, and an accurate estimate of regulatory costs guides the parliament's consideration of legislation. These are ultimately costs that get passed on to consumers, as I said a moment ago.

I hope that the Office of Impact Analysis does not sign off on this document as compliant without first a hundred per cent checking this. The minister and his department should go back and come up with costings that have accuracy, and issue a replacement explanatory memorandum.

Feedback from both industry and consumer advocates points to the complexity arising from the lack of clear liability rules and an apportionment mechanism for situations where multiple entities across different sectors are involved in a scam. Uncertainty about liability and apportionment is likely to create a chain of suing and countersuing between entities to apportion liability for consumer redress. This could result in confusion and delays for consumers seeking redress, who will typically not have full visibility of a scam attack chain and the reasonable steps undertake by each entity.

While AFCA has been designated as a single door for external dispute resolution, stakeholders expressed concerns about how its decisions would work in practice and whether it would be creating an expensive and convoluted process without an improvement in consumer redress. Under the proposed model, there could be a protracted examination through an external dispute resolution body of different companies' relative roles in the scammer's attack to determine possible redress. Some stakeholders speculate this could take years to resolve and for consumers to be reimbursed because of the complexity of the scam attack chain.

I understand changes have been made to the final bill to allow for rules or guidelines to be made around ensuring consumers have sufficient information to make a complaint and how liability should be apportioned. However, again, significant matters have been left to be dealt with in a delegated legislation which is yet to materialise. As this will outline how key aspects of this framework will operate, this information should be available alongside the bill.

Under the bill, entities face serious penalties if they do not report all actionable scam intelligence to the ACCC. The broad definition used for 'scam intelligence' means this reporting obligation could inundate the ACCC with an unprecedented volume of reports about scams without a clear mandate for what they will do with it—for example, publishing it or sharing it with regulated entities. Stakeholders have said this obligation will create a significant compliance burden and potential privacy issues without a clear connection to scam prevention or reducing consumer harm.

On this issue, the Customer Owned Banking Association has said it is 'concerned with the legislation's complexity and the regulatory burden that could be created, especially for smaller banks,' particularly the various reporting obligations. As it stands, there is the potential to lead to a regime focused too much on reporting rather than on protecting customers from scams. I appreciate changes have been made to the final bill to attempt to address the breadth of the reporting obligations, but, as it has only been a week since this bill appeared, it's difficult for stakeholders to advise whether they will make a meaningful difference to the compliance burden.

Stakeholders recommend the ACCC share a more manageable set of actionable reports with the National Anti-Scam Centre to use that information to develop a public, searchable database of known scams that consumers and companies can use to investigate whether something is a scam in real time. Forty-four million dollars has already been allocated to the National Anti-Scam Centre in the federal budget for a technology bill. This spend is vague, and I hope it is being used towards this kind of initiative.

I also note the good work of the banks existing information sharing initiative, the Australian Financial Crimes Exchange, or AFCX, which already facilitates the secure sharing of scam intelligence between banks. It is important the reporting obligations do not unnecessarily duplicate industry-led initiatives like this.

Under this bill, regulated entities face significant maximum civil penalties because the penalties regime has been aligned with the existing penalties regime in the CCA for serious competition law offences. I note that some stakeholders argue that this is disproportionate and that the civil penalty regime should be restricted to apply only to serious breaches or that there should be a clear list of matters which can attract a pecuniary penalty. The severity of potential penalties compounds the broader concerns about the vague principles based obligations in the primary legislation, serving the standalone obligations rather than being guiding principles for future mandatory codes.

The current design of the framework and the potentially disproportionate penalty regime increases the risk of regulator entities being more focused on compliance and minimising potential liability than on acting quickly and flexibly to address emerging scams or provide consumer redress.

On this point the Business Council of Australia said the proposed legislation is rushed, heavy-handed, complex and unclear. It is a prescriptive approach that reflects a compliance mindset rather than seeking to improve practical approaches to stopping scams. The Communications Alliance said:

… telcos are subject to as many four concurrent enforcement mechanisms, and could face penalties even when they comply with sector-specific codes – creating a 'quadruple jeopardy' of liability.

I am also concerned the broad operation of the framework and the disrupt principle in particular could have a chilling effect on the seamless digital experience consumers have had come to expect from their digital banking and digital platforms. For example, delays and blocks to payments, freezing of accounts, additional verification processes and mandatory scam questionnaires are likely to become commonplace frictions. While these could be valid reasonable steps to prevent a scam, they will also create a broader inconvenience and frustration for many Australians.

I note the final bill now includes a safe harbour protection from liability in relation to losses incurred because of disruption activity. However, the inclusion of this acknowledges that consumers and businesses will inevitably be disrupted in a way that could cause some losses. There is also a risk it will exacerbate the existing issue of debanking, which has worsened under this government and could be used to restrict banking services unnecessarily. Unfortunately, the government doesn't have a great track record with compensation schemes. The compensation scheme of last resort serves as a cautionary tale of good intentions gone wrong. It became a mess under the Albanese government's watch, with costs blowing out due to the design of the scheme and excessive administration costs. The CSLR recently admitted the 2025 levy will likely exceed the $20 million subsector cap for financial advice. It was originally supposed to be $10 million. This means financial advisers are set to be slugged with an even bigger levy than this year. This scam scheme includes similar cost-recovery elements and an underestimation of the compliance costs, as I outlined before, but I hope we don't end up with a similar mess that needs to be mopped up because it has been rushed through with minimal consultation or scrutiny. I hope this won't be a CSLR 2.0.

I also note this framework relies heavily on leaving matters to be determined in future delegated legislation. I must warn that giving this minister broad regulation-making powers is risky when you look at what recently happened with accountants and bookkeepers. They know this more than anyone. After the minister was given powers to unilaterally vary the tax agent's code of conduct, there was a massive pushback right around the country from these people—some of the most trusted people that there are, particularly for small and family businesses and sole traders. This minister made a determination which was widely criticised through a grassroots advocacy campaign and a united call for it to be scrapped from the leading accounting professional bodies. I won't talk too much more about that. I hope the minister has learned from this experience and does not use the same approach when making the many designations, codes and rules required for this scams prevention framework to be fully operational. The regulated sectors must put a lot of faith in the minister to get this right, and I hope this isn't another example of regulation by decree with no notice or consultation. The looming election should not mean that the designations and codes are also rushed and not properly consulted on, like this bill. The success of this framework will depend on these mandatory codes being well designed and effective.

As I mentioned earlier, a whole-of-ecosystem approach makes sense. The scam attack chain involves different sectors, and a coordinated approach is important as scam attempts become more sophisticated. However, the government's scams policy does nothing to address the law-and-order issues associated with scams. Scams are typically perpetrated by transnational criminals, and Australia is viewed as a honeypot by these criminals.

Fighting scams can't be left to banks, telcos and digital platforms. Other countries take these criminals on; that's very important, and that's something we should be doing too. The policy response to scams cuts across multiple portfolios and isn't something that Minister Jones, or even myself as his opposition shadow, can tackle from just the Treasury portfolio. It means ministers need to be talking to one another and getting their departments involved, which doesn't always happen in this place.

I will briefly mention the unclear role of the National Anti-Scam Centre. Despite pouring millions of dollars of funding into the National Anti-Scam Centre, it has zero mentions in this bill and seems to play no part. It isn't very clear how this funding is being used by the ACCC. Education and advertising on scams should be a key focus for this spend. I also note that the National Anti-Scam Centre has not published a quarterly scams report for the last two quarters since May. Scams reporting data, buried on the ACCC website, indicates that between May and September this year scam losses have started trending back up. I must ask: why is the minister taking credit for a downward trend in losses in 2023 but hiding this spike over the last six months? Why, with the huge additional resources provided to it, is the National Anti-Scam Centre not publishing quarterly scams reports for this period, yet this bill makes banks, telcos and digital providers report straightaway?

In conclusion, as I have said before, if there are sensible reforms which will help during Labor's cost-of-living crisis and doing-business crisis we want to see them come into parliament and be legislated as soon as possible. Unfortunately, the list of promised reforms in the Treasury portfolio, which is running out of runway before an election, has ballooned. Even the minister's top priorities like this are being left to the last minute, with rushed consultation processes and unexplained delays becoming the norm. The department and drafting resources are constantly scapegoated by this government, but it is becoming clear there is a lack of direction and leadership from the top. Unfortunately, the Albanese government's approach to legislating its scams prevention policy has been slapdash, half-finished and left to the last minute.

The theatrics we saw yesterday in question time from the Assistant Treasurer show us that this government is running out of time. The minister should be a little bit embarrassed that this work has been left too late. Something as important as this should not be rammed through without scrutiny because the government can't manage its legislative agenda or has prioritised other things. The bill was panned during consultation and many concerns that were raised—so many that I can't cover them all today—have not been fully addressed. The Assistant Treasurer's take-it-or-leave-it approach to this bill is disappointing. I assure stakeholders that this bill can't get any worse; it can only get better. I hope that, through a committee inquiry process, there will finally be proper and meaningful consultation on this bill, all stakeholders will have their voices heard and this bill can be improved and legislated.

Michael McCormack (Riverina, National Party, Shadow Minister for International Development and the Pacific) Share this | Link to this | Hansard source

I second the amendment, and reserve my right to speak.

Debate adjourned.