What Businesses Need to Know

Introduction

On 12 March 2026, the Australian Financial Complaints Authority (AFCA) published its updated Rules and Operational Guidelines, representing a significant reform in AFCA’s jurisdiction since its establishment. Following the passage of the Scams Prevention Framework Act 2025 (Cth) (SPF), AFCA is to become the single External Dispute Resolution (EDR) scheme for scam complaints relating to telecommunication companies (telcos) and digital platforms alongside banks. The Rules represent the first stage of the reform plan, focusing on the regulation of receiving banks (banks that receive scam funds), with more information relating to telcos and digital platforms to be published in the future.

Other changes have also been made to AFCA’s jurisdiction including that AFCA is now able to publish the names of banks that fail to comply with AFCA determinations. This reform aims to increase transparency and accountability across the financial services sector and signals a firmer approach to enforcement.

Expansion of AFCA’s Jurisdiction

The reform intends to strengthen oversight, expand AFCA’s jurisdiction, and enhance transparency in complaint resolution. From 12 March 2026, AFCA’s jurisdiction has expanded to allow it to:

1. investigate the actions of receiving banks (banks that receive scam funds), even where the complainant is not their customer;
2. consider disputes involving unauthorised account openings by scammers; and
3. join multiple banks to a single complaint for proportionate liability assessment.

Since its creation, AFCA’s role has been to resolve service complaints which a consumer has with the consumer’s own financial services provider. Under this expansion of AFCA’s terms of reference, for scam losses, AFCA can make an adverse determination against a bank which have received funds from a scam victim’s bank notwithstanding the absence of any relationship between the receiving bank and the scam victim. AFCA can now allocate liability for scam losses on a multilateral basis, not just on a bilateral basis between a bank and its own customer.

Telcos and digital platforms will be required to join AFCA for scam-related complaints later this year or in 2027, while continuing to remain subject to existing sector regulators such as Australian Communications and Media Authority (ACMA) and the Telecommunications Industry Ombudsman (TIO) for other complaints. It will be interesting to see which “digital platforms” will be caught by the new legislation as at this stage the details are unclear.

AFCA will adhere to a six-year limitation period for hearing new complaints and a two-year limitation period for complaints that have undergone the internal dispute resolution (IDR) process. However, complaints cannot be duplicated.

For banks this means increased scrutiny of account opening controls, ID verification, mule account detection, and timely responses to fraud reports.

While the change does not create new legal duties to non‑customers, AFCA may require remediation (including compensation) where a bank’s conduct falls short of legal obligations or good industry practice. The reforms also sit alongside the forthcoming SPF, signalling heightened expectations for end‑to‑end scam prevention and response.

Apportionment of Liability

AFCA will be able to apportion liability across multiple banks involved in a scam transaction. It is far from clear how AFCA will do this. Further, according to a recent AFCA publication:

1. AFCA’s new jurisdiction does not create new legal obligations or duties of care for banks to consumers who are not their customers; and
2. the legal obligations which banks owe to non-customers are limited.

AFCA does have significant flexibility when deciding a matter noting that when determining a complaint, the AFCA decision maker:

1. must do what the AFCA Decision Maker considers is fair in all the circumstances having regard to:

a. legal principles;

b. applicable industry codes or guidance;

c. good industry practice; and

d. previous relevant Determinations of AFCA or Predecessor Schemes,

2. is not bound by rules of evidence or previous AFCA decisions.

Key Things to Consider

1. During an active complaint, banks are restricted from:

• commencing legal proceedings against the complainant or any other party in relation to the subject matter of the complaint;
• obtaining judgment or continue debt recovery proceedings commenced prior to the complaint being lodged; or
• recording a default on the complainant’s credit file.

2. Under the SPF, businesses should take reasonable steps to ‘prevent, detect and disrupt’ scams.

• Prevent: Implement proactive measures such as blocking suspicious text messages, emails, and social media communications, and alerting consumers about emerging scam trends.
• Detect: Use algorithms, monitoring systems, and fraud‑detection analytics to identify suspicious behaviour before a scam occurs.
• Disrupt: Block or suspend suspicious channels or require additional authentication before processing payments.
• Respond and Report: Respond to and report scams to overseeing regulatory bodies such as the ACCC, ACMA, ASIC and TIO.

3. Businesses that fail to meet their obligations under the SPF can be penalised up to $50 million depending on the severity of harm caused to consumers.

4. AFCA determinations made in favour of the consumer are binding on businesses and have limited opportunity to be appealed. The outcome will depend on the ‘reasonable steps’ taken by businesses.

5. While no new legal duties are created (at this stage), AFCA may require compensation or corrective action where conduct falls short of legal obligations or accepted industry practice. AFCA may also require businesses to compensate customers for non-financial loss.

What businesses should be doing

1. Review scam‑prevention systems by strengthening fraud detection, identity verification, and incident response capabilities.
2. Prepare for mandatory intelligence‑sharing by mapping data flows and noting what scam‑related information is to be reported and to which regulating body.
3. Update internal dispute resolution processes by increasing efficiency with shorter timeframes and reinforced transparency requirements.
4. Complete SPF/AFCA gap analysis and prioritise high‑loss scam routes.
5. Telcos and digital platforms should prepare for AFCA membership and educate themselves on potential binding determinations.
6. Participate in industry consultations throughout 2026 as this will shape the structure of the SPF and the enforcement of the Rules.

Banks specifically should:

1. Mule accounts: establish processes to detect suspected mule accounts early, review and act on them promptly, freeze funds where required, notify counterpart banks, and support after‑hours escalation.
2. Onboarding and account security: strengthen controls against unauthorised account openings and account‑takeover; keep auditable evidence of ‘reasonable steps’ taken.
3. Dispute Resolution: update IDR processes so they can deal with scam complaints from non‑customers (including receiving‑bank claims) and clearly demonstrate the actions taken across the full lifecycle of the scam.

AFCA has provided case examples which can be found here.

Conclusion

The combination of AFCA’s new Rules and the Scams Prevention Framework enhance the regulatory protections around scam prevention and increase obligations on businesses. This represents a regulatory shift from “who was the customer?” to “who could reasonably have prevented this?“. Businesses involved in receiving, holding or moving funds, particularly banks and payment providers, should treat this as a prompt to review fraud controls, escalation processes and governance frameworks. Telcos and digital platforms should prepare for the impending increased obligations under the SPF. Businesses that treat scam prevention as a shared, end‑to‑end responsibility, and can evidence that approach, will be best placed to limit both financial loss and reputational risk.

This article was written by Robert McGregor, Partner and Andrew Galvin, Partner, and Mayesha Karim-Monjur, Solicitor.

References

Legislation

Competition and Consumer Act 2010 (Cth)

Scams Prevention Framework Act 2025 (Cth)

Cases

Notesco Pty Ltd v Australian Financial Complaints Authority Ltd (2022) 365 FLR 163

Other

Australian Financial Complaints Authority, AFCA Rules (Rules approved 12 March 2026)

Australian Financial Complaints Authority, AFCA Operational Guidelines (Operational Guidelines approved 12 March 2026).

Australian Competition and Consumer Commission, ‘ACCC Welcomes Passage of World First Scams Prevention Laws’ (Media Release, 13 February 2025) ‹https://www.accc.gov.au/media-release/accc-welcomes-passage-of-world-first-scams-prevention-laws›

Australian Financial Complaints Authority, ‘AFCA to Publish Updated Rules on 12 March 2026’ (Webpage, 26 February 2026) ‹https://www.afca.org.au/members/news/afca-to-publish-updated-rules-on-12-march-2026›

Australian Financial Complaints Authority, ‘Scams Prevention Framework’ (Webpage, 13 February 2025) ‹https://www.afca.org.au/about-afca/scams-prevention-framework›

Australian Financial Complaints Authority, Receiving Banks and Unauthorised Opening of Accounts (Fact Sheet, 12 March 2026) <https://www.afca.org.au/about-afca/publications/factsheet-receiving-banks-and-unauthorised-opening-of-accounts>

Explanatory Statement, Competition and Consumer (Scams Prevention Framework—Regulated Sectors) Designation 2025 (Cth)

The Hon Stephen Jones MP, ‘Albanese Government Introduces Landmark Scams Prevention Framework’ (Media Release, 7 November 2024) ‹https://ministers.treasury.gov.au/ministers/stephen-jones-2022/media-releases/albanese-government-introduces-landmark-scams›