Navigating the Draft SPF Code: Implications and Responsibilities for Banks

On 28 May 2026, the Treasury released a consultation package setting out its proposal for some of the substantive obligations under Australia's Scams Prevention Framework (SPF), currently scheduled to take full effect on 31 March 2027. The consultation package comprises the draft Competition and Consumer (Scams Prevention Framework SPF Codes) Instrument 2026 (the Draft Code), Competition and Consumer (Scams Prevention Framework Telecommunications Code) Instrument 2026, draft SPF rules, accompanying explanatory materials, a consultation guide and a position paper on internal dispute resolution (IDR Position Paper).

The SPF sets out key principles that regulated entities are required to adopt to prevent scam losses to certain consumers.  Under the SPF, regulated entities are required to take action to prevent, detect, report, disrupt and respond to scams. They are also required to document their processes to govern the implementation of those principles.

The Draft Code outlines common obligations for the banking, telecommunications, and digital platform sectors, as well as sector-specific obligations for banking and digital platforms. This article focuses on the internal dispute resolution (IDR) and external dispute resolution (EDR) obligations imposed on regulated banks, including those foreshadowed by the Draft Code and IDR Position Paper and identifies where banks remain in the dark pending further rules and Ministerial guidance.

The Proposed IDR Process

Under the 'respond' principle of the SPF, regulated entities must establish clear, accessible IDR mechanisms to receive and resolve complaints. Banks must also join an EDR scheme to handle scam-related complaints, as required by Subdivision G of the SPF Act 2025 (Cth).

The Draft Code provides additional information for banks on the requirements for complaint IDR mechanisms, including that the mechanism must:

• be free of charge for the consumer;

• be easy to understand, locate and use including for those with disabilities or diverse backgrounds;

• include multiple options to make a complaint about an activity that is or may be a scam; and

• provide an option to access assistance from an individual within a reasonable time after requesting assistance.

The Draft Code specifies time periods for regulated entities to acknowledge receipt of complaints (''as soon as practicable'') and respond to complaints (''as quickly as possible having regard to the complexity of the complaint and the scale of the activity''). If a complaint is not responded to within 30 days, the regulated entity must explain to the consumer why the complaint has not been resolved.

Regulated entities are required to cooperate with each other in relation to complaints that involve more than one regulated entity.  Treasury have noted that the IDR process under the SPF will require each entity involved to assess their own compliance with the SPF and come to a shared view on how to settle the complaint with the consumer.  The IDR Position Paper suggests that a ''centralised IDR model …will likely represent an efficient solution for entities that receive a high volume of scam complaints''.  Regulated entities will be expected to engage at both the IDR and EDR stages of a complaint. The Australian Financial Complaints Authority (AFCA) will be the single centralised EDR scheme for SPF complaints.  

Treasury have suggested that an efficient way to reduce the administrative cost and burden of IDR on regulated entities is to:

• require regulated entities to automatically reimburse consumers for verified scam losses under $3,000, without formal investigation or assessment of liability; and

• assign equal apportionment for multi-party disputes among regulated entities, noting the liability apportionment guidelines will not support consideration of the role of non-regulated entities.

The guidelines allow for adjustments in exceptional cases where unanimous agreement is reached. Such consensus is difficult to foresee in practice and will likely be a time-consuming exercise, potentially undermining the efficiency the proposal aims to deliver.

The IDR Position Paper proposes to include these suggestions within upcoming Ministerial guidance.

Outstanding Questions on IDR

The current suite of proposals leaves a number of outstanding issues on the IDR process:

• The liability assessment remains somewhat unclear, although the IDR Position Paper notes that once the SPF framework is operational, it will take priority over other applicable frameworks like the ePayments Code.

• The framework does not establish sufficiently clear or objective criteria for apportioning liability between participating institutions, which creates a risk of inconsistent outcomes and protracted disputes between regulated entities.

• Customer contribution is not clearly dealt with, leaving uncertainty around whether, and to what extent, a customer's actions, such as authorising the payment or being extremely careless in relation to the scam event, could reduce or negate the institution's liability.

• While some banks have previously advocated in favour of more ''bright line'' rules linked to response timeframes and obligations on banks to prevent scams, the current framework retains a high level of generality. It uses language such as ''reasonable steps'', ''reasonable systems and processes'' and ''proportionate action'', which could be interpreted and implemented in varying manners across and within regulated sectors.

The EDR Gap

In addition to the outstanding questions on liability assessment and IDR processes, the Draft Code does not expressly address an existing gap in the EDR process.  Despite AFCA's jurisdiction having recently expanded to include investigating the conduct of receiving banks from 12 March 2026, and having the ability to compel receiving banks to pay compensation for financial and non-financial losses, there remains no dedicated framework setting out what is expected of a bank that receives scam funds.  

AFCA has stated that it will apply a standard of "good industry practice" when assessing the liability of receiving banks.  To date, the obligations under the SPF framework on receiving banks (which are regulated entities) include:

• Recall requests: taking reasonable steps to assist the sending bank in reversing a transaction if a payment recall request is made (Draft Code, s 3-11).

• Placing restrictions on accounts: acting proportionately if they reasonably believe an account they hold is being used to facilitate a scam (Draft Code, s 3-12).

• Bank-to-Bank sharing obligations: assisting in confirming payee information by sharing details, which creates a reciprocal obligation that enables sending banks to verify payee details before processing transfers (Draft Code, s 3-2).

AFCA has stated that it will consider the receiving bank's policies and assess whether the receiving bank adhered to them. While this provides some form of a benchmark, it effectively holds banks to their own self-imposed standards, potentially creating a perverse incentive to adopt less detailed or prescriptive internal policies.

As banks will be aware, AFCA operates under an independent fairness jurisdiction, meaning it is not bound by legal precedents or previous decisions, risking inconsistent outcomes. While AFCA plans to conduct peer reviews to promote consistency, this is not equivalent to binding precedent.

While the Draft Code broadly applies to receiving banks as they fall under the definition of regulated entities, it is not specifically directed at receiving banks. Instead, the Draft Code provisions can be used to supplement or guide good industry practice for their role and expected contribution to preventing, detecting and disrupting scams. This includes:

• Strengthening inbound transaction monitoring and mule account detection: receiving banks should assess whether their systems can effectively detect suspicious incoming activity and respond to intelligence obtained either through the existing Fraud Reporting Exchange or internal information about potential fraudulent actors.

• Mandating document verification service checks at onboarding: receiving banks should mandate robust verification checks during account onboarding, including by using the Document Verification Service or an equivalent verification service. This should be a non-negotiable step to detect stolen or compromised identification before an account is created. Additionally, banks should implement systems capable of identifying suspicious patterns during account creation. Examples of suspicious patterns include multiple accounts opened using documents from the same issuance batch (e.g., passports or driver's licences with consecutive serial numbers), accounts being created with identical details (e.g., residential addresses), or applications being submitted shortly after identity documents are reported compromised.

Additional recommendations receiving banks could implement to enhance their preparedness, beyond the requirements outlined in the Draft Code, include:

• Compliance monitoring and assurance testing: as AFCA will assess banks against their own policies, it is critical that those policies are not only well-drafted but consistently followed. Banks should implement regular assurance testing (to the extent they are not already doing so).

• Responding promptly and effectively to recall and recovery requests: AFCA is likely to place significant weight on how quickly and effectively a receiving bank responds to these requests. Banks should review their service level agreements to ensure they are sufficient.

• Adapting IDR processes for non-customer complaints: AFCA expects both receiving and sending banks to engage in the IDR process before it investigates complaints, including complaints from non-customers. This marks a significant shift, as IDR frameworks traditionally only handled complaints from account holders. Banks should assess whether their IDR policies, systems and staff training can effectively handle complaints from non-account holders, including verifying the legitimacy of such complaints without a direct customer relationship, coordinating with the sending bank when required, and otherwise ensuring compliance with Regulatory Guide 271.

• Documenting everything: AFCA will assess whether the receiving bank's conduct met "existing legal obligations and good industry practice," including compliance with its own internal procedures. Banks that can produce a clear, contemporaneous record of what they did and why (e.g. fraud detection alerts sent, account restrictions imposed or removed, communications with sending banks and the rationale behind any decisions) will be in a stronger position to defend these complaints. Banks that cannot produce an audit trail of their response to scam reports will be at a significant disadvantage.