On 28 May 2026, the Australian Government registered the Competition and Consumer (Scams Prevention Framework–Regulated Sectors) Designation 2026, naming banks, telecommunications carriers and digital platforms (social media, search and instant messaging) as the first sectors bound by the Scams Prevention Framework Act 2025. Designated entities can apply for membership of the Australian Financial Complaints Authority from 1 July 2026, and the framework takes full effect on 31 March 2027. Built into Part IVF of the Competition and Consumer Act 2010, it is the world's first cross-sectoral, mandatory scams regime — and it deserves to be assessed on both its ambition and its design.
The case for acting is real
Start with the strongest version of the government's argument, because it is genuinely strong. Australians reported AUD$2.18 billion in scam losses in 2025 across 274,577 loss reports — up 7.8% on 2024, according to the ACCC's National Anti-Scam Centre. Investment scams alone accounted for $837.7 million. The ACCC's data shows websites and social media driving a 31.8% jump in online scam reports. Scammers exploit the seams between sectors: a fraudulent ad surfaces on a platform, contact moves to an encrypted messenger, and money leaves through a bank. No single actor sees the whole chain, so leaving each to act alone has predictably failed. A coordinated, whole-of-ecosystem duty — what ACCC Deputy Chair Catriona Lowe calls a problem requiring "a coordinated, whole-of-ecosystem approach" — is a defensible response to a coordinated, whole-of-ecosystem harm.
Six duties, three regulators, fifty million dollars
The Act imposes six overarching obligations on every regulated entity: govern, prevent, detect, disrupt, respond and report. Enforcement is split across a multi-regulator model — the ACCC as general regulator and overseer of digital platforms, ASIC for banks, and ACMA for telcos — with sector-specific codes layered on top. The penalties are the headline: the framework is widely reported as carrying fines of up to AUD$50 million per contravention, and the underlying statute sets Tier 1 civil penalties for bodies corporate at the greater of 159,745 penalty units (about $52.7 million), three times the benefit obtained, or 30% of adjusted turnover. AFCA will provide a single external-dispute-resolution path, so a consumer scammed across a bank, a telco and a platform can pursue redress in one forum rather than three.
Where proportionality strains
Here is where a pro-innovation lens matters. The obligations are framed as outcome duties — take "reasonable steps" to prevent, detect and disrupt scams — rather than prescriptive rules. That is the right instinct: outcome-based regulation ages better than technology-specific mandates. But pair an undefined "reasonable steps" standard with $50-million exposure and you create a powerful incentive to over-remove. When the cost of an under-block is potentially eight figures and the cost of an over-block is a deleted post or a frozen legitimate transaction, rational compliance teams will err toward suppression. The people who pay for that caution are not scammers; they are legitimate advertisers, small businesses, and users whose lawful speech and payments get caught in the dragnet.
There is also a deeper conceptual move worth naming. The framework makes platforms liable for harms originated by third parties — fraud the platform did not commit and often cannot fully see. This is a meaningful departure from the intermediary-liability principles that allowed the open internet to scale. Conscripting platforms, telcos and banks as liability backstops for criminal conduct may be the most administratively convenient lever the state has, but convenience is not the same as proportionality, and it quietly relocates the cost of policing crime onto private infrastructure.
A familiar Australian pattern
This is the through-line connecting the new framework to the News Media and Digital Platforms Mandatory Bargaining Code of 2021. In both cases, Australia identified a public-interest problem — declining journalism revenue then, scam losses now — and addressed it by designating digital platforms as the responsible, payable or liable party, leveraging their scale and deep pockets. The bargaining code used the threat of designation to extract payments to publishers; the scams framework uses the threat of designation and penalty to extract compliance spending and consumer reimbursement. The mechanism is the same: regulate the chokepoint, not just the wrongdoer.
That pattern can work — but it carries a standing risk of scope creep, because designation is an executive act. The Act lets the Treasury minister add sectors by instrument, and the first designation arrived barely fifteen months after Royal Assent (20 February 2025). Each future expansion will face the same temptation: reach for the platform as the convenient backstop.
What good implementation looks like
The framework is not the wrong tool, but its legitimacy will live or die in the sector codes due before 31 March 2027. Three tests matter. First, the codes must define "reasonable steps" concretely enough that compliance does not collapse into reflexive over-blocking. Second, the 28-day good-faith safe harbour for proportionate action must be broad and predictable, or it will not actually shelter the experimentation it promises. Third, regulators should publish what proportion of losses the regime prevents, so the public can judge whether $50-million duties on lawful intermediaries are buying real reductions in the $2.18 billion problem — or merely shifting blame. Get the codes right and Australia exports a model; get them wrong and it exports a chilling-effect machine.