Scam!
We’ve all seen the headlines. It’s usually a variation of the same story: the “good guys” chasing the “bad guys,” with the villains always appearing to be three steps ahead. For a long time, I never really questioned who those “good guys” actually were—or what they were doing besides playing a permanent game of catch-up.
But my recent work has made me look under the hood of Australia’s new defence system, the reality is far more complex than a simple police chase. To stop a scam today, it takes an entire ecosystem.
This is the world of the Scams Prevention Framework (SPF). Established under the Scams Prevention Framework Act 2025 (a major addition to our Competition and Consumer Act 2010), this is the blueprint for how Australia is finally fighting back.
Here is a look at the “who’s who” in the zoo.
SPF Good Guys - Thanks NotebookLM for drawing this
The Rule Makers#
Treasury & Minister (Law and Rules)#
Role: Policy authority and rule-maker
- Treasury designs SPF Policy and legislation.
- The Minister formally sets the SPF rules.
- Provides overall policy direction and legal authority for the framework.
Oversight and Enforcement#
ACCC (Australian Competition & Consumspf-good-guys.jpger Commission)#
Role: Regulator and enforcement authority
- Overall oversight body for SPF across the economy.
- Responsible for reporting, monitoring and enforcement.
- Ensures consistent application of SPF obligations across different industry sectors.
NASC (National Anti-Scam Centre)#
Role: Cross-sector coordination and intelligence function
- Specialist function within the ACCC.
- Coordinates scam prevention across different industry sectors.
- Aggregates scam intelligence and outcome reporting.
Sector Regulators (Operational Enforcement)#
ACMA (Australian Communications and Media Authority)#
Role: Telecommunications sector regulator
- Enforces SPF obligations on Telcos.
- Focuses on blocking, disruption, traceback and compliance.
- Oversees telco-specific scam prevention measures.
ASIC (Australian Securities and Investments Commission)#
Role: Financial services sector regulator
- Enforces SPF obligations on banks and financial institutions.
- Oversees scam-prevention controls, ASI (Actionable Scam Intelligence) usage and Internal Dispute Resolution (IDR).
- Ensures compliance within the financial services sector.
Digital Platforms currently do not have a named separate sector regulator in SPF legislation or rules. Currently ACCC is the designated SPF sector regulator for digital platforms.
External Dispute Resolution (EDR)#
AFCA (Australian Financial Complaints Authority)#
Role: Authorised EDR scheme operator
- Authorised as the single EDR body for scam complaints across the initial banking, telecommunications, and digital platform sectors.
- Responsible for independently determining consumer complaints and awarding compensation when businesses fail to meet their SPF obligations. (Note: Under the 2025 Act, there is a “waterfall” or “apportionment” model where liability can be shared between a bank, a telco, and a platform if all failed their “reasonable steps” for the same scam event.)
- Provides a consistent and holistic experience for victims, ensuring a “single door” for disputes that may involve multiple businesses from different industries.
- Regulated entities must be members of the scheme by 1 September 2026, with AFCA set to begin accepting SPF complaints from 1 January 2027.
It is not a small list, but wait, there is more.
There is more#
Then there are private industry and customer advocacy groups. These bodies are not “agencies” of the scam prevention framework itself but rather consultation partners.
Industry Advocacy Groups#
ATA (Australian Telecommunications Alliance)#
Role: Telecommunications sector representative
- Represents Telcos collectively.
- Coordinates sector inputs into SPF design.
- Support implementation feedback and consistency.
ABA (Australian Banking Association)#
Role: Banking sector representative
- Represents banks collectively.
- Coordinates sector input into SPF design.
- Supports implementation feedback and consistency.
DIGI (Digital Industry Group Inc.)#
Role: Digital platforms industry representative
- Represents major digital platforms.
- Provides coordinated policy and operational input.
- Ensures platform perspectives are reflected in SPF development.
DIGI is not a regulator. It has no enforcement, compliance or regulatory power.
Consumer Advocacy & Public Interest Oversight#
Treasury documents also mention consulting with “consumer groups,” CALC is not explicitly named in the legislation or ACCC releases as a formal SPF agency.
CALC (Consumer Action Law Centre)#
Role: Consumer and victim advocacy
- Represent scam victim’s interests.
- Provide independent policy input.
- Applies scrutiny and challenge through SPF consultations.
- Ensures consumers harm remains central to SPF design.
And More#
Scams move very fast across sectors:
- A scam typically starts on a digital platform.
- Moves via telecommunication services (SMS, MMS, Voice).
- Ends in financial services.
SPF requires different sectors to share intelligence with each other so that scams can be detected and disrupted. So how do they exchange information within and across the sectors?
There are two more entities - AFCX and GSE, which exist to operationalise intelligence sharing.
AFCX (Australian Financial Crimes Exchange)#
What problem it solves#
- Banks already exchange sensitive, high‑risk intelligence (e.g. mule accounts, payment flows).
- This requires high trust, proven governance and financial‑crime credibility.
- Re‑building this from scratch would slow SPF implementation.
Why it matters under SPF#
- Financial services have early, high‑value signals
- These signals are critical for:
- freezing funds
- tracing scam networks
- retrospective disruption
What AFCX does best#
- Bank‑grade intelligence sharing
- Strong legal safe‑harbour precedents
- Existing operational uptake
- Lower onboarding friction for banks
Limitation#
- Primarily financial‑sector‑centric
- Not designed natively for telcos and platforms
Without AFCX: SPF would lose immediate access to the richest, most mature scam intelligence source.
GSE (Global Signal Exchange)#
What problem it solves#
- Scams don’t respect sector boundaries.
- Telcos, platforms and banks need machine‑readable, low‑latency indicators.
- Manual or sector‑only sharing is too slow.
Why it matters under SPF#
- SPF emphasises:
- early detection
- proactive disruption
- shared ASI (Actionable Scam Intelligence)
- That requires automation at scale.
What GSE does best#
- Near‑real‑time, standardised signal exchange
- Designed for:
- URLs
- phone numbers
- domains
- wallets
- behavioural indicators
- Usable by multiple sectors simultaneously
Limitation#
- Newer capability
- Less embedded trust than long‑standing bank platforms
- Requires broader onboarding and governance maturity
Without GSE: SPF would be slow, fragmented and largely reactive.
They solve different layers of the same problem:
- AFCX anchors SPF in trusted, outcome‑rich financial intelligence
- GSE enables speed, scale and cross‑sector disruption
Many boxes to connect#
So, there they are - all the boxes that finally need to connect. We have a lot of “good guys”, each with a specific mandate, being forced to speak a common language for the first time.
Whether it’s AFCX providing the high-trust depth needed to freeze a bank account, or GSE providing the machine-speed scale to block a malicious URL across every telco in minutes, they represent the “nervous system” Australia has been missing.
I know this was an information dump. It’s a dry, acronym-heavy “who’s who” in the scam-fighting zoo. But if you’ve made it this far, you know that the complexity of the framework is simply a reflection of the complexity of the crime.
As we head toward the July 1st go-live, the big question isn’t whether these boxes can talk to each other. It’s whether they can talk fast enough to catch a scam that moves at the speed of a click.