The Australian government’s current consultation on scam prevention will not be read by many fraud managers outside of the country. That is a shame, because it exhibits a far deeper understanding of the drivers of risk than much of the pseudo-informative quasi-advertising which gets circulated in lieu of objective advice. The key lessons learned in Australia are as follows:
- “While many businesses have been responding to the increasing threat of scams to Australian consumers, the Government remains concerned that these efforts are often siloed within particular businesses or sectors, or that take-up of broader measures has been irregular across each sector.” (Page 4, Introduction)
- “Scammers exploit loopholes… Every business in the scams ecosystem has a role to play in combatting scams. Therefore, a strong, whole-of-ecosystem regulatory framework is needed to ensure that those best placed in the system deal with the scams threat.” (Page 6, Objectives and key principles)
- “Scammers quickly adapt and are likely to shift their focus and activity to less regulated parts of the scams ecosystem. Scammers are also likely to target developments in technologies and markets to create new types of scams and harms. The Framework will need to be flexible and responsive to future changes in the scams ecosystem.” (Page 7, Objectives and key principles)
- “…there are numerous interrelated frameworks and reforms that will have an impact on scam activity. The Framework will complement and leverage these existing interrelated regulatory regimes and reform processes, to reduce overlap and regulatory burden on industry.” (Page 7, Objectives and key principles)
- “The initial sectors covered by the Framework would be those most targeted by scammers — banks, telecommunications providers and digital communications platforms — with scope for further sectors to be designated in future by the relevant Minister. These could include the superannuation sector, digital currency exchanges (cryptocurrency), other payment providers, and transaction-based digital platforms like online marketplaces.” (Page 8, Key features of the proposed Scams Code Framework)
- “The principles-based obligations would be flexible enough to account for the differing nature and sizes of regulated businesses. This would allow businesses to adjust their anti-scam efforts to the conditions of their sector, service offering or business model, and any changes in scam activity on their services.” (Page 11, Key features of the proposed Scams Code Framework)
- “Businesses regulated under the proposed Framework would be required to develop, maintain, and implement an anti-scam strategy. The strategy would need to set out the business’ approach to scam prevention, detection, disruption and response, based on its assessment of its risk in the scams ecosystem. It is proposed that anti-scams strategies have a high-level of sign-off within the business, such as the board or similar level of governance. It is expected that this will ensure a high-level of priority and oversight within the regulated business. Businesses would be required to regularly review the effectiveness of the strategy against the risk assessment, as well as monitor and report on ongoing compliance. This should include regular reporting to senior levels of the business to ensure that the strategy is effective and being adhered to.” (Page 13, Key features of the proposed Scams Code Framework)
- “Businesses regulated under the Framework would be required to share and act on information, to ensure that all businesses within the scams ecosystem have quality information to enable them to detect and prevent scams.” (Page 14, Key features of the proposed Scams Code Framework)
- “A business would also be required to take reasonable steps to act on scam intelligence shared with it by another business, industry bodies, law enforcement and regulators… This would include acting on intelligence to stop a current scam, prevent further scams from the same source occurring, or to otherwise address the consequences of a scam. Reasonable steps might include to promptly remove scam content or an identified scam account from a service, warning consumers or users that have also interacted with an identified scam or scammer and providing them with information or advice on actions to take if they have also been affected by a scam, or blocking an identified scam user from signing up to the service, to prevent further scams from occurring.” (Page 15, Key features of the proposed Scams Code Framework)
Australia is not alone in seeing the need for a joined-up philosophy for tackling scammers. Singapore has been setting the pace by establishing a unified anti-scam command office within the police and by defining circumstances when a victim’s losses will be reimbursed by either a bank or a telco. However, Australia’s eventual cross-sector framework may prove to be even more influential, much in the way that Australia has previously established widely-copied precedents for how telcos should tackle scams.
It is especially refreshing to see a government placing the focus where it is really needed by understanding scammers are motivated by the results of crime, not by a desire to execute one specific criminal method. Scammers do not care if their trickery involves a phone call, an SMS, a Whatsapp, an email or a link to a bogus website. Their end goal remains the same. That is why siloed thinking is often counterproductive, as it is in most forms of risk management. Countries can no more defend consumers through disjointed, uncoordinated anti-scam controls than you can secure your home by installing the most expensive and elaborate locks on your door whilst continuing to leave your windows wide open.
The Australian government’s involvement represents an important shift in who drives consumer protection forward. Too often the consumer protection agenda has been hijacked by vendors who want to sell solutions that are specific and inflexible. They are aided in their task by a sparsity of reliable data in the public domain. This leaves a vacuum that vendors can fill with biased statistics designed to promote the need for their products and services, whilst ignoring genuine problems that they cannot monetize. A ‘whole-of-ecosystem’ mindset requires everybody, including senior managers in businesses, to concentrate on the end goal of stopping scams instead of being distracted by one or two specific methods to counter crime. Or to put it another way, consumers are not actually protected by new billion-dollar controls that criminals will immediately work around, no matter how much the suppliers of those controls want us to believe otherwise.
The thinking behind the Singaporean and Australian approaches reminds me of the important shift in thinking when risk managers started acknowledging the need for enterprise risk management (ERM) as an umbrella activity that tied together the more specific silos of risk management within an organization. ERM has not taken off in the way hoped, and the reluctance to include security and fraud within a comprehensive ERM framework is partly to blame. But whether professionals consciously realize it or not, recent changes in thinking in security and consumer protection are now pushing organizations to adopt the same principles as promoted by ERM. That is because the principles of ERM remain correct even if they are ignored. Applying resources where there is the greatest risk mitigation will always be more efficient than choosing how to solve a problem first, then hoping that solution is sufficient.
It is pleasing to see that professionals from different backgrounds also admire the approach being taken in Australia. Ken Palla, an American expert in security and banking, made the following observation in a guest blog for BioCatch.
This is a big step forward to protect Australian consumers from scams.
Overall, this is a significant effort by the Australian government to involve all key sectors in the fight to eliminate consumer financial scams.
Palla singled out the Australian Communications and Media Authority (ACMA) for leading the way with scam reduction.
Specifically, kudos to the ACMA for their aggressive efforts to bring errant telco providers in line to support its scam rules and to penalize those providers when they fail to do so.
It is encouraging that professionals from different countries with differing experiences and expertise are finding common ground on how to tackle the global phenomenon of scams enabled by remote communications. Telcos need to be part of a broad alliance for consumer protection; no sector will be effective at curtailing scams if it tries to work in isolation.
The Australian government’s consultation on mandatory industry codes for scam reduction can be found here. The deadline for responses is January 29.



