Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
Department of the Treasury’s Readiness to Implement the Scams Prevention Framework
Please direct enquiries through our contact page.
Audit snapshot
Why did we do this audit?
- Scams are a major threat to Australian consumers and businesses. At least $2.03 billion was reported as lost to scams in 2024.
- The Australian Government has committed to measures to prevent and respond to scams; including the establishment of the Scams Prevention Framework (SPF).
- This audit provides assurance to Parliament on whether the Department of the Treasury (Treasury) is ready to implement the SPF.
Key facts
- The Scams Prevention Framework Act 2025 outlines the objective of the SPF to ‘prevent and respond to scams’.
- Treasury has implementation plans for the SPF to allow for operation of the framework by the end of 2027.
- As at March 2026 Treasury has identified 15 major delays and 16 minor delays in SPF implementation activities underway.
What did we find?
- Treasury has a largely appropriate implementation plan to deliver the SPF up until the commencement of its operation. To position Treasury to advise government on the longer-term effectiveness of the framework, it will need to develop plans for monitoring, reporting and evaluation.
- After the SPF enabling legislation is enacted, Treasury is responsible for advice to government on the success of the SPF, including reporting on the collective performance of the Australian Competition and Consumer Commission, the Australian Securities and Investment Commission, the Australian Communication and Media Authority and the Australian Financial Complaints Authority; and the ongoing fitness for purpose of the legislative framework.
What did we recommend?
- There were four recommendations to Treasury about risk management, overseeing collective work of regulators, monitoring and reporting, and evaluation.
- Treasury agreed to all recommendations.
494,732
scams reported by Australians in 2024.
$1.021 bn
is the expected SPF total cost to industry over the next ten years.
60
out of 163 implementation activities completed (as at March 2026).
Summary and recommendations
Audit objective
1. The audit objective was to assess the Department of the Treasury’s (Treasury) readiness to implement the Scams Prevention Framework (SPF).
2. To form a conclusion against the objective, the ANAO adopted the following high-level audit criterion:
- Has Treasury established appropriate implementation arrangements and monitoring for the Scams Prevention Framework?
Audit conclusion
3. Treasury has largely appropriate implementation and monitoring arrangements to support its readiness to implement the SPF, up to the point where the SPF becomes operational. To position Treasury to provide impactful, informed and influential advice about the SPF in operation, it will need to develop monitoring, reporting and evaluation arrangements.
Supporting findings
Implementation plans establish largely appropriate governance arrangements up until the commencement of the SPF; however Treasury has not yet planned for its role to provide advice about the success of the SPF in operation
4. Treasury’s plan identifies who will implement SPF deliverables, with a shared pathway for delivery. There are no plans extending to Treasury’s role once the SPF becomes operational. ( See paragraphs 2.8 to 2.19)
5. Treasury’s implementation plan considers risks to implementation milestones including shared risks, but does not document risk levels and tolerance, nor extend to consideration of risks once the SPF becomes operational. (See paragraphs 2.20 to 2.33)
6. Treasury has oversight of progress of implementation milestones in its plan up until commencement of the SPF operations. (See paragraphs 2.34 to 2.42)
7. Treasury has considered costs and benefits of the SPF; however there is no plan to develop benchmark data that could support monitoring and evaluation. (See paragraphs 2.43 to 2.48)
8. Treasury has a stakeholder engagement strategy and consultation plans up until commencement of the SPF but these do not extend to the SPF in operation. (See paragraphs 2.49 to 2.65)
Treasury does not yet have appropriate arrangements to monitor, report and evaluate on whether the SPF has met its objectives
9. Treasury has not designed performance reporting arrangements to ensure that the SPF can be assessed against its objectives. (See paragraphs 2.75 to 2.83)
10. Treasury has not yet established arrangements to support evaluation of SPF outcomes. (See paragraphs 2.84 to 2.93)
Recommendations
11. The ANAO made four recommendations aimed at Treasury to:
- review risk management documentation, including risk level, tolerance and monitoring the risks to the effectiveness of the collective performance of regulators (see paragraph 2.33);
- develop ongoing stakeholder consultation plans to assess the effectiveness of collective regulation (see paragraph 2.55);
- develop a plan for monitoring and reporting in consultation with regulators (see paragraph 2.83); and
- establish an evaluation plan (see paragraph 2.93).
Rationale for undertaking the audit
12. Globally, scams were estimated to cost consumers $1.026 trillion in 2023.1 Scams are a major threat to Australian consumers and businesses, with financial losses to scams reported by the Australian Competition and Consumer Commission (ACCC) to be at least $2.03 billion in 2024 from 494,732 scams reported.2 In February 2025, the Australian Parliament passed the Scams Prevention Framework Act 2025 (SPF Act). The SPF aims to raise ‘the bar across the economy by setting out consistent and enforceable obligations for businesses in key sectors where scammers operate … and make Australia one of the toughest places in the world for scammers to target’.3
13. This audit is designed to provide timely and targeted assurance of Treasury’s readiness to implement the SPF while arrangements are still being put in place, before commencement of sector obligations by mid-2026. In mid-2026 activities shift to the ongoing administration of the SPF by regulating entities with oversight of collective performance of the SPF by Treasury.
14. This audit provides assurance to Parliament on whether Treasury is ready to implement the SPF.
Audit approach
15. The audit methodology included an examination of entity records and consultation with relevant departmental staff. The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $229,935. The team members for this audit were Elvira Manjaji-Baxter, Yu Wen Wong, Eb Chomkul and David Tellis.
Summary of entity response
16. The proposed audit report was provided to Treasury. The summary response to the report is below and the full response is at Appendix 1. Improvements observed by the ANAO during the course of this audit are listed in Appendix 2.
Department of the Treasury
Treasury welcomes the key messages in the report, in particular that Treasury has largely appropriate implementation and monitoring arrangements to support implementing the Scams Prevention Framework (the Framework) to the point of operation. Treasury acknowledges the report finding that Treasury will need to develop plans for monitoring, reporting and evaluation post commencement. We consider this reflects the audit being conducted during implementation and that it is appropriate to have focused Treasury efforts to date on commencing the Framework.
Treasury agrees with the recommendations presented in the report. Treasury intends to develop an approach to support monitoring the effectiveness of the Framework that builds upon existing close engagement with regulators, consumer groups and industry stakeholders. It will also consider how to refine project documentation, including with regard to risk and accountability.
Scams continue to be a major threat to Australians and supporting the implementation of the Framework to ensure better protections against scams is a key priority for Treasury.
Key messages from this audit for all Australian Government entities
Stewardship of strategies, policies and frameworks
1. Background
Introduction
1.1 The Australian Competition and Consumer Commission (ACCC) defines scams as ‘when criminals deceive people to steal their money or personal information’.4 Common types of scams relate to: dating and romance; investment; buying and selling; personal information theft; threats and extortion; jobs and employment; offers or receipt of unexpected money; travel, prizes and lottery; and fake charities.
1.2 Scams are a major threat to Australian consumers and businesses. Through Scamwatch’s5 Targeting Scams report, the ACCC reported at least $2.03 billion lost to scams in 2024 from the 494,732 scams reported.6 Scamwatch’s data sources for this report are ReportCyber7, IDCARE8, Australian Financial Crimes Exchange9 (AFCX), and Australian Securities and Investment Commission (ASIC).10
1.3 There are other sources for scam reports such as the Australian Taxation Office11, Australian Institute of Criminology12, Australian Communications and Media Authority (ACMA)13 and Australian Financial Complaints Authority (AFCA).14 The Australian Bureau of Statistics also reports on personal fraud, including card fraud, identity theft, and scams.15
1.4 In November 2021, the Australian Labor Party announced an election commitment to fight scams and online fraud, including proposals to:
- establish a National Anti-Scam Centre (NASC) ‘bringing together law enforcement, banks, telecommunication providers and consumer advocates to harden national defences protecting Australian consumers and small business’;
- double the funding for identification recovery services;
- facilitate government agency collaboration (through National Cabinet) on recovery of government-issued ID;
- establish ‘new industry codes for banks, telecommunications providers, social media providers and government agencies to clearly define responsibilities for protecting consumers and businesses online’;
- review penalties and remedies for online fraud, misleading conduct and deceptive practices;
- ensure that technology platforms that profit from online advertising are responsible for prompt removal of scam advertising; and
- task a minister with direct portfolio responsibility for championing online consumer protection.16
1.5 The NASC was set up within the ACCC in July 2023 to combat scams by aiming to link government organisations, industry and consumers to disrupt scam activity in Australia.17 The NASC received $58 million in the 2023–24 federal Budget to ‘improve scam data sharing across government and the private sector and to establish public-private sector fusion cells to target specific scams’.18 The government announced $6.7 million in the 2025–26 federal Budget to extend the operation of the NASC, ‘to continue protecting consumers and businesses from scam activity’.19
1.6 The NASC has reported that continued action against scams — such as data and intelligence sharing — is warranted, as factors contributing to the decrease in reporting between 2023 and 2024 may include:
- increased sophistication of scams making it harder for consumers to recognise significant scams and report them;
- report fatigue;
- increased promotion of reporting channels;
- scam prevention initiatives such as improved call and SMS blocking, phishing filters and fraud monitoring; and
- greater public awareness and education assisting consumers to identify scams.20
1.7 In the 2024–25 federal Budget, the measure, Fighting Scams was announced to ‘continue to combat scams and online fraud through: the introduction of mandatory industry codes to be established under a Scams Code Framework; and increased use of the secure eInvoicing network’.21 Treasury advised the ANAO in February 2026 that this wider package announced in the budget included the delivery of the Scams Prevention Framework (SPF).
1.8 In November 2024, the government introduced the Scams Prevention Framework Bill 2024. Both houses of the Australian Parliament passed the Scams Prevention Framework Act 2025 (SPF Act) on 13 February 2025 and the bill received royal assent on 20 February 2025. Section 58AA of the SPF Act outlines the objective of the SPF to ‘prevent and respond to scams’.22 The SPF aims to raise ‘the bar across the economy by setting out consistent and enforceable obligations for businesses in key sectors where scammers operate’.23 The SPF Act provides the minister with legislative power to make other legislative instruments such as rules and codes which provide further clarity to the operation of the SPF.
1.9 Scams are defined by the SPF Act as a direct or indirect attempt to cause loss or harm that involves deception.24 This includes obtaining personal information, financial or other benefits from Australian residents, small businesses in Australia or their associates.25 The SPF Act Explanatory Memorandum provides examples of potential exclusions from the meaning of scams including:
- fraud without consumer action (i.e. no direct engagement between consumer and scammer);
- cybercrime (e.g. data breach or hack);
- certain conduct under anti-money laundering and counter-terrorism financing legislation;
- transactions involving faulty products; and
- transactions performed under the threat of imminent violence.26
1.10 The SPF will initially apply to the consumer banking, telecommunications and digital platform sectors. The SPF establishes principle-based obligations requiring businesses to take reasonable steps to prevent, detect and disrupt scams. It also sets out new governance, response and reporting requirements, including introducing dispute resolution services for consumers (individuals and small businesses).27 The minister may designate new sectors.28
1.11 The SPF states:
the Government introduced the Scams Prevention Framework Bill 2024 to establish world-leading protections against scams … by setting out consistent and enforceable obligations for businesses in key sectors where scammers operate. This will better protect consumers and make Australia one of the toughest places in the world for scammers to target.29
1.12 The Department of the Treasury (Treasury) has been assigned responsibility to coordinate implementation of the SPF, including delivery of the subordinate legislation that implements the SPF. The legislation has specific roles for the regulators and complaints handling (see paragraphs 1.17 to 1.18).
1.13 Treasury’s SPF impact analysis has identified the SPF’s core objectives as ‘reduce scam harms’ and ‘align benefits and cost of scam prevention’.30 It states that ‘the government aims to facilitate improved outcomes against these core objectives through’:
- improving the consistency, quality and timeliness of industry response to scam activity;
- greater levels of industry collaboration, reporting and information sharing between businesses and to regulators about scam activity; and
- increased accessibility and transparency of pathways for consumers to report and seek support when experiencing a scam.31
1.14 Treasury is responsible for delivering subordinate legislation to implement the SPF that enact:
- sector designation instruments;
- sector codes of conduct;
- authorisation of AFCA32, as the operator of the external dispute resolution (EDR) scheme; and
- SPF rules (e.g. rules related to intelligence sharing, exceptions to the definition of a scam and designation exceptions).
1.15 Treasury will lead the process to deliver these elements that enact the SPF by the end of 2027.33 These elements will set out the requirements for industry scam reporting. Sections 58BR, 58BT and 58BY of the SPF Act set out the rules for reporting ‘actionable scam intelligence’ (ASI), how to access reports and reporting on outcomes of ASI investigations.34 The SPF rules will detail the timing, manner, form and kinds of information that will be required to be reported by regulated entities as ASI and scam investigation reports.
1.16 The intelligence sharing rules will be delivered after the other SPF rules are in place. The intelligence sharing rules are to be operational by the end of 2027.
1.17 Once the three initial sectors are designated, the banking sector will be regulated by the ASIC; the telecommunications sector by ACMA; and the digital platform sector by the ACCC.35 The ACCC is the general regulator and will enforce the regulations imposed by the SPF Act.
1.18 The minister will authorise AFCA, a non-government entity, to establish an EDR service for consumers.36 The government has announced up to $14.7 million over two years from 2024–25 in funding to AFCA to support this arrangement.37 AFCA’s SPF responsibilities will be monitored by ASIC.
1.19 If consumers have a complaint, through the SPF, they can access the relevant organisation’s internal dispute resolution (IDR) process. If the consumer considers the complaint is not satisfactorily resolved through the IDR, they can approach AFCA for EDR.38
Audit scope
1.20 The audit focused on Treasury’s implementation readiness up to mid-March 2026. The effectiveness of contributions made by other entities to implementation of the SPF were excluded from the scope. As the audit was completed in parallel with delivery of the implementation plan, the audit scope also did not include review of specific details of policy proposals that supported implementation, which were made after the audit fieldwork stage.
Audit methodology
1.21 The audit involved examining departmental records and meetings with relevant Treasury staff.
2. Implementation arrangements, monitoring and evaluation
Areas examined
The ANAO assessed whether the governance arrangements, timeframes, monitoring, reporting and evaluation for the implementation plan for the Scams Prevention Framework (SPF) were appropriate.
Conclusion
The Department of the Treasury (Treasury) has largely appropriate implementation plans which provide Treasury with oversight over SPF implementation milestones and shared risks, up to the commencement of the SPF. Treasury’s plan includes a stakeholder engagement strategy and consultation plan. Treasury’s planning does not extend to its role to review and advise government on the effectiveness of the SPF and collective regulatory activities, once the framework is operational.
As a steward responsible for providing impactful, informed and influential advice, Treasury should consider and plan the governance arrangements necessary to support oversight of the operation of the SPF. Treasury has not yet established monitoring and reporting arrangements to support evaluation of the SPF against its objectives.
Areas for improvement
The ANAO made four recommendations aimed at:
- reviewing risk management, including risk level and tolerance;
- developing ongoing stakeholder consultation plans to assess the effectiveness of the operation of the SPF and the quality of regulation as a whole;
- developing monitoring and reporting plans with regulators; and
- establishing an evaluation plan.
The ANAO suggested two opportunities for improvements aimed at:
- improving documentation to capture who has accountability for key documents, milestones and changes; and
- developing a methodology with delivering entities to establish and measure the benefits of SPF.
2.1 Implementation plans should identify deliverables and milestones and embed evaluation at the outset. The Department of the Prime Minister and Cabinet’s Australian Government Guide to Policy Impact Analysis defines factors that can contribute to successful implementation of government policies.39 This guide describes best practice guidance for implementation, through a clear implementation plan for delivering proposed policies that includes:
- a shared understanding for key stakeholders involved in implementation;
- identifying timeframes, implementation phases and challenges; and
- appropriate resources for delivery.40
2.2 The Australian Public Service (APS) Academy Delivering Great Policy Model, states that for a policy to be practical to implement, it should:
- lead to the desired policy outcomes;
- be fully explored and tested;
- understood as working in the real world;
- be considered in terms of long-term impacts, perverse incentives and unintended outcomes; and
- ensure evaluation is ‘baked in from the outset, and linked to policy outcomes’.41
2.3 Australian Government entities are subject to performance measurement and reporting requirements under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).42
2.4 As the leaders of the SPF, under the Public Service Act 1999, Treasury is required to uphold the value of stewardship.43 As a steward, the entity is required to build capability and institutional knowledge, and support public interest, by understanding the long-term impacts of what it does. When policy implementation and delivery are managed by different entities, the policy owner remains accountable for lawful program delivery and the achievement of intended outcomes. The policy owner should monitor program implementation, work with other entities to address compliance and performance issues, assess if policy or legislative complexity negatively impacts delivery, evaluate performance and report on program effectiveness.44
Implementation plans establish largely appropriate governance arrangements up until the commencement of the SPF; however Treasury has not yet planned for its role to provide advice about the success of the SPF in operation
2.5 The Australian Government Guide to Policy Impact Analysis describes the following questions to consider when developing an implementation plan.
- Who will implement the chosen solution?
- Do you have the right amount and type of resources to implement your policy?
- Does your implementation plan include adequate risk management arrangements?
- How will you ensure your stakeholders are adequately involved or informed about progress?45
2.6 The guide also states that:
It’s essential to have a plan for how you will monitor and evaluate your proposed policy option. Plan from the start what will be measured, how it will be measured and by whom, and why and who you will report this to. This includes identifying potential data sources, and determining whether a data sharing agreement, ethics approval or a privacy impact assessment would be required.46
2.7 Treasury’s performance statement includes Key activity 1 that requires Treasury to provide ‘policy advice and analysis [that] is impactful, informed and influential’.47
Treasury’s plan identifies who will implement SPF deliverables, with a shared pathway for delivery. There are no plans extending to Treasury’s role once the SPF becomes operational
2.8 After enactment of the Scams Prevention Framework Act 2025 (SPF Act) on 20 February 2025, the government agreed to SPF implementation activities on 21 July 2025 to deliver the SPF components. After the plan was agreed, Treasury provided options for delivery timeframes. On 24 September 2025 the government approved a timeframe for implementation with plans for delivery of all elements of the SPF by the end of 2027.
2.9 Figure 2.1 shows a timeline of decisions made and planned to support establishment of the implementation plan, since the election commitment was made to fight scams (see paragraph 1.4).
Figure 2.1: Decisions made and planned to support implementation planning for the SPF from November 2021 to June 2026 as of April 2026
Key:
Green Assistant Treasurer approvals and agreements.
Blue Public announcements and approvals.
Dark red Assistant Treasurer’s planned approvals and releases.
Note a: Treasury advised the ANAO in April 2026, that the Assistant Treasurer has not yet agreed to sector designation and Australian Financial Complaints Authority (AFCA) authorisation.
Note: Timing of planned events is subject to change.
Source: ANAO analysis of Treasury documents.
2.10 To establish the framework Treasury will implement the following components of the SPF:
- designation instruments to bring regulated sectors into the SPF and formalise the sector regulators;
- sector codes to set out sector specific obligations for regulated entities;
- an instrument to authorise an external dispute resolution (EDR) scheme (to be run by AFCA) for the initial three designated sectors; and
- SPF rules which may set out matters relating to reporting (information sharing) requirements, internal dispute resolution (IDR) arrangements, narrowing definitions if required and other operational details.
2.11 Regulation of the codes of conduct will be the responsibility of the Australian Consumer and Competition Commission (ACCC), the Australian Communications and Media Authority (ACMA)48 and Australian Securities and Investment Commission (ASIC). Treasury is responsible for producing the banking and digital platform codes; and ACMA will deliver the telecommunication sector code.
2.12 The government requested more details on the timeframes after approving a pathway for implementation of the SPF on 21 July 2025. Treasury provided options for an implementation timeline which was agreed to by government on 24 September 2025, including an option that would have all initial sectors designated, sector codes and SPF rules, excluding intelligence sharing rules, in force by 30 June 2026. Intelligence sharing rules and an EDR would be in force by the end of 2027. The government was advised that:
on balance … this option will be most acceptable to key stakeholders as it will allow the commencement of some aspects of the SPF relatively quickly … and will give designated sectors and consumers more certainty around obligations.
2.13 Partial commencement in a shorter timeframe heightened the risk that expediting industry codes could lead to design flaws. Treasury advised that the risk could be managed through closer engagement with industry; and the benefits of faster delivery of the rest of the SPF could mean:
- faster introduction of consumer protection measures;
- maintaining accountability for regulated entities and encouraging continued action against scams;
- minimised criticism from consumer groups about consumer protection delays; and
- IDR and compensation through court would be available for consumer redress, before AFCA’s EDR scheme becomes available.
2.14 Under the plan, the majority of legislative instruments that allow for implementation was to be in place by the middle of Quarter 2, 202649, with subordinate legislation that introduces SPF intelligence sharing rules by the end of Quarter 2, 2027. The plan identifies all transition periods concluding by the end of 2027. The plan includes a potential ‘code uplift’ between Quarter 3, 2026 to the end of 2027 for sector codes. This ‘code uplift’ was identified as subject to government interest and policy resourcing (see paragraph 2.16 and Figure 2.2). Treasury advised the ANAO in January 2026, that a ‘code uplift’ was intended to refer to the possibility of updating codes after they were initially made, as under the SPF, codes may be remade or updated.
2.15 Treasury’s plan for delivery does not account for assessing the effectiveness of collective regulation after delivery of legislation underpinning the SPF; to enable it to advise government on the overall success of the SPF in achieving its objectives. Treasury advised the ANAO in March 2026 that ‘Treasury’s role in monitoring and evaluation beyond Quarter 4, 2027, will be routine oversight of the operation of the legislation (as occurs for other legislation in the Treasury portfolio) unless otherwise directed by government’.
2.16 Figure 2.2 shows the timing of the approved option, the department’s legislative drafting stages and the completed stages of the SPF implementation plan. As of March 2026, the plan indicates the described implementation activities (including transitional arrangements) to be complete by the end of 2027. There are no plans setting out Treasury’s role in providing advice to the government on the effectiveness of the implementation activities, including advice on the effectiveness of the legislation. The completed stages for initial sector designation, sector codes, AFCA scheme designation and SPF rules (for IDR and other rules) are behind schedule. Risks to delivery have been reported to the minister. Treasury tracks the progress of the activities weekly (see paragraph 2.38).
Figure 2.2: Summary of Treasury’s approved implementation plan for SPF on 24 September 2025 and completed stages of implementation plan for the SPF as of March 2026
Note a: Dotted red line indicates when the SPF activity status was last updated, mid-March 2026.
Source: ANAO summary of Treasury’s implementation plan approved by the minister and the Workstream Update document.
2.17 Treasury has established a number of work streams, each with their own project overview that assigns responsibilities and guides implementation of all components of the SPF. These plans are for work related to:
- the banking sector;
- digital platforms;
- telecommunications;
- SPF rules;
- intelligence sharing;
- redress; and
- internal governance and cross-stream coordination.
2.18 Treasury’s work stream project overview documents are all in draft. Treasury advised the ANAO in February 2026 that ‘project plans are considered internal documents and were reviewed at a Director level but were not subject to formal approvals’.
Opportunity for improvement
2.19 Treasury could consider finalising planning documents so it is clear which senior responsible officer has accountability for those documents and milestones; and changes to documents and approvals are clearly traceable through version control logs.
Treasury’s implementation plan considers risks to implementation milestones including shared risks, but does not document risk levels and tolerance, nor extend to consideration of risks once the SPF becomes operational
2.20 As steward of the SPF, Treasury has the responsibility for working to ensure the long-term integrity and sustainability of the SPF. The PGPA Act imposes a duty on accountable authorities to ‘establish and maintain systems relating to risk and control’ and keep the ‘responsible Minister and Finance Minister informed’.50 Treasury has considered and reported on risks related to implementation of the SPF components in accordance with its plan.
2.21 Treasury’s Risk Management Framework and Risk Management Policy endorsed in October 2024, describes the expectations, principles, accountabilities and responsibilities for staff to apply effective risk management across all departmental activities. It sets out a model for encouraging a positive risk culture by ensuring that risk management activities are integrated into everyday activities and decision-making. Templates and guidance from the department are available to officials to assist with assessing and managing risk.
2.22 The Risk Management Policy emphasises the importance of monitoring and reporting risk information. Under the risk policy, risk tolerance and appetite should be understood and risk should be continuously reviewed to improve risk management practices. Business areas are responsible for managing risk registers for their own activities.
2.23 Treasury advised the ANAO in February 2026 that the central risk register captures group-level strategic risk and serves as the enterprise risk register. Progressing initiatives like the legislation for the scams framework is referenced in the Market Groups Central Risk Register as context for their ‘operational environment’.
2.24 Treasury identified six risks and sensitivities that relate to resourcing and stakeholder engagement as summarised at Table 2.1.
Table 2.1: Summary of the risks and sensitivities related to resourcing and stakeholder engagement
|
Risks and sensitivities |
Detail |
Treasury mitigations |
|
Timing pressure |
Delays could attract criticism from consumer groups and impede business investment decisions needed for compliance. |
Use grace periods. |
|
Policy complexity |
Complexity could affect implementation. |
Use an incremental approach to implementation. |
|
Regulatory implications |
Implementation should ensure regulation is targeted and existing infrastructure used (where possible), to mitigate against the risk of undue burdens being placed on industry. |
Ensure regulation is targeted. |
|
Funding and resource constraints |
Treasury resourcing is subject to departmental priorities and decisions of government. |
Continue to consider ongoing funding needs. |
|
Foreign affairs |
Certain countries might perceive being subject to more regulation than others. |
Apply regulation to all sectors concurrently. |
|
Consumer redress arrangements |
Consumers and stakeholders may not be satisfied with compensation arrangements in the SPF. |
Not applicable; is a sensitivity. |
Source: ANAO summary of advice to government.
2.25 In its advice to government noted on 24 September 2025 (see paragraph 2.12), Treasury identified the following risks to the approved option for an iterative approach to SPF implementation (by delaying the implementation of the intelligence-sharing rules):
- reputational risk, as the SPF may not meet stakeholder expectations of an appropriate level of action taken to address harms caused by scams; and
- less clarity on obligations will reduce the likelihood of appropriate regulatory action and dispute resolution.
2.26 Treasury advised that a delay to the introduction of intelligence rules was ‘most acceptable to key stakeholders’. It would give industry more time, but consumer groups would not view it positively.
2.27 Treasury identified the risk that Treasury’s management of the SPF implementation is affected by departmental priorities and resource allocation. Treasury identified other key challenges for implementation through project plans, including: risks for the digital platform sector; funding the new EDR scheme; delaying the introduction of the intelligence sharing rules; and NASC funding ambiguity. Details are shown in Table 2.2.
Table 2.2: Details of implementation challenges identified by Treasury
|
Risks and sensitivities |
Detail |
Treasury mitigations |
|
Designation of the digital platform sector |
Assessed as ‘medium’. Risk includes shared risks with the ACCC, for example related to enforcement. |
High level of engagement with stakeholders.a |
|
AFCA delivery of an EDR by 30 June 2027b |
AFCA is to receive funding of up to $14.7million (excluding GST) by the end of the grant period on 10 October 2026, to establish a capacity to handle scam disputes for the first three sectors subject to the SPF, through an EDR. As of March 2026, AFCA had not yet received the full amount of grant funding. |
Treasury advised the ANAO in March 2026 that it is working with AFCA to agree on a grant variation to manage changing delivery timelines. |
|
Delays to introduction of intelligence sharing rules |
Intelligence sharing rules establish the obligations for reporting to the ACCC, as the SPF general regulator. This introduces shared risk with ACCC, including a lack of funding for the NASC beyond mid-2026. |
Work closely with stakeholders and use NASC to lead on implementation activities. |
|
NASC funding is not guaranteed beyond 30 June 2026 (identified as a constraint) |
In project planning documents related to intelligence sharing it states that NASC will lead a process to ‘develop proposed settings for SPF reporting and intelligence sharing’. This is subject to funding for NASC that currently terminates on 30 June 2026. |
No mitigation identified. Treasury advised the ANAO in January 2026 that:
|
Note a: This mitigation strategy is consistent with the stakeholder engagement and communication plan in the project overview document.
Note b: AFCA’s original agreement stated that an EDR would be operationalised by 1 March 2026, however the draft redress plan notes this is no longer realistic.
Source: ANAO summary of Treasury’s advice to government and project overviews.
2.28 On 20 February 2026, Treasury provided advice to government updating it on risks for delivery of implementation of the SPF codes, after consideration of a consultation round conducted between November 2025 and January 2026 (see paragraphs 2.64 to 2.65). The Assistant Treasurer noted that delivery risks were increasing as Treasury worked towards a 1 July 2026 commencement date. Treasury advised that ‘significant implementation risks for SPF codes … are heightened due to the compressed delivery timeframes’. Treasury stated that stakeholder consultation would be ‘key’ to mitigate most of these risks, but there would be limited opportunity for consultation due to the timeframes.
2.29 Treasury’s advice also discussed shared risks to delivery by highlighting heightened risks that could affect delivery of ACMA’s activity. Advice noted that due to compressed delivery times there was a risk that the ‘Telco code [would not be] ready in line with other codes, leading to unfair treatment across sectors’. This could ‘limit efficacy of anti-scam practices, increase regulatory risk and complicate redress delivery’. ACMA had also raised concerns about sufficient time to update other regulations. Drafting of the telecommunications code was also dependent on designation of the sector. The suggested mitigation was closer engagement between Treasury and ACMA, as well as between relevant ministers.
2.30 Treasury maintains a scams policy lessons log while developing the SPF. The log includes the lesson details, recommendations and how the lessons learned will be shared across Treasury. As of March 2026, it outlined two lessons learned on the ‘Anti-Scams Agenda’ and ‘Consultation on designation instruments’, with one possible lesson learned on the consultation on internal dispute resolution (IDR).
2.31 As shown in Table 2.2, Treasury’s plan does not consider risk ratings or mitigation against all risks. There is no evidence of the level of risk tolerance expected by Treasury (see Table 2.1 and Table 2.2). Treasury advised the ANAO in March 2026 that ‘risk tolerance in relation to the implementation plan is a matter for the Minister [or] Government’.
2.32 Treasury’s plan is focused on arrangements for and risks to implementation up until commencement of the SPF. There are no plans extending to reviewing the effectiveness of the framework in action. As stewards of the plan and in line with its performance measure (see paragraph 2.7), Treasury is responsible for reporting to the minister on risks of the plan for the longer-term and advising on changes to the level of risk. This requires oversight of risks emerging in the framework identified by regulatory bodies. By not having oversight of these risks, Treasury is not well placed to provide advice to government on the effectiveness of the SPF as a whole.
Recommendation no.1
2.33 The Department of the Treasury should strengthen its risk management arrangements for implementation of the Scams Prevention Framework (SPF). This includes consideration of risk ratings and tolerance levels; and considering risks beyond SPF commencement, to enable it to provide advice on the effectiveness of the framework in operation.
Department of the Treasury response: Agreed
Treasury has oversight of progress of implementation milestones in its plan up until commencement of the SPF operations
2.34 Treasury oversees the activities of other organisations involved in carrying out the implementation plans. Treasury holds regular meetings with the other organisations to discuss SPF implementation matters. Table 2.3 outlines how Treasury works with the SPF-delivering entities, the topics discussed and frequency of these meetings.
Table 2.3: Treasury’s regular meetings with delivering entities for discussion of the SPF
|
Meeting |
Delivering entities |
Meeting discussion |
Frequency |
|
Interdepartmental committee (IDC) |
ACCC, ASIC, ACMA, AFCA, DITRDCSAa |
|
Four-weekly |
|
Bilateral meeting |
ACCC, ASIC ACMA, AFCA, DITRDCSAa |
|
Fortnightly |
|
Project coordination meeting |
ACMA |
|
Weekly |
Note a: DITRDCSA is the Department of Infrastructure, Transport, Regional Development, Communications, Sport and the Arts. ACMA is in the DITRDCSA portfolio.
Note b: ACMA and DITRDCSA meetings are held jointly as DITRDCSA is the lead policy agency on communications and ACMA is the regulator. AFCA meetings are joint with ASIC. ASIC also has its own individual fortnightly meeting on banking workstream matters.
Note c: Workstream updates include updates on banking, digital platforms, telecommunication, intelligence sharing, redress and rules.
Source: ANAO analysis of Treasury’s meetings.
2.35 Treasury has a planning document that describes the SPF IDC. The SPF IDC document identifies the purpose of IDC meetings to facilitate discussion on project governance, shared policies and other matters related to project direction and shared objectives. The meetings provide an opportunity for the entities to report on any delivery updates or changes to milestones and for Treasury to review the progress of the SPF implementation.
2.36 Treasury has maintained oversight of changes in risk and reported on this to the minister, after completing analysis of consultation responses that affected delivery risks (see paragraph 2.28).
2.37 Treasury maintained three separate documents for tracking the delivery progress of the SPF instruments: the Work Breakdown Schedule document; Workstream Update document; and the SPF weekly timeline document. Treasury advised the ANAO in March 2026 that the Work Breakdown Schedule is not currently in use and progress is tracked in the Workstream Update document. The SPF weekly timeline document identifies approval actions for the Assistant Treasurer on a weekly basis against milestones and the proposed timeframe for implementation of SPF projects. These documents are summarised in Table 2.4.
Table 2.4: Treasury’s SPF legislative delivery tracking documents
|
Name |
Items tracked |
Last updated |
Status |
|
Work Breakdown Schedule |
|
October 2025 |
4 activities completed, 9 activities in progress out of 141 total activitiesc |
|
Workstream Update |
|
March 2026 |
See Table 2.5 |
|
SPF weekly timeline |
|
February 2026 |
Not availabled |
Note a: Key deliverables include banking, telecommunication and digital platform designation and code; SPF rules; and AFCA scheme authorisation.
Note b: The phases include policy, drafting, consultation, revision, finalisation and the delegate (if applicable).
Note c: The activities recorded as completed or in progress are for initial policy and drafting instructions for all deliverables. The four activities completed: three on the initial policy for banking designation, telecommunication designation and AFCA scheme authorisation; and one on drafting instructions for banking designation.
Note d: The SPF weekly timeline document does not track the status of the SPF instrument delivery progress.
Source: ANAO analysis of Treasury’s activity tracking documents.
2.38 The Workstream Update document captures weekly status updates. The document states the ‘updates are intended to capture the activities of each workstream for visibility across scam team members to support the identification and discussion of issues which might have an impact on overall delivery of the SPF’. Figure 2.2 presents the completed stages against the planned timeframes. Table 2.5 summarises the SPF implementation activity status from the Workstream Update document as of March 2026.
Table 2.5: SPF implementation activity status from the Workstream Update document as of March 2026
|
Activity status |
Number of activities |
|
Completed |
60 |
|
On track |
14 |
|
On hold |
6 |
|
Major delays |
15 |
|
Minor delays |
16 |
|
Not started — delayed |
8 |
|
Not started — on schedule |
44 |
|
Total |
163 |
Source: ANAO summary from Treasury’s workstream update document.
2.39 Treasury monitors the delivery of the legislative program through the Principal Toolbox database. The Principal Toolbox sets out the legislation, scheduling, contacts, status, date to be completed, measure specifics, and approvals. The Principal Toolbox is used to record changes to measures to the legislative program. The Principal Toolbox is used to generate reports such as the Legislation Program Reports and Legislation Status Update reports.
2.40 The SPF work is listed in Treasury’s law division Legislative Program Report. This report is provided to the minister and deputy secretaries.
2.41 Treasury monitors changes to the SPF instruments and records them in a weekly Legislation Program Changes document. The Legislation Program Changes document is reported and provided to the minister’s office for approval and review weekly.
2.42 Risks for the SPF are also tracked internally though the Legislation Status Update reports. The report describes the measure and risk level, current stage of the instrument, category, sitting period, policy lead and the senior executive service officer from Treasury’s law division. Description of the risk itself is sometimes noted against the measure, for example ‘changes to policy specifications’, but is not always listed against each measure. The Legislation Status Update report is provided to the deputy secretaries. Table 2.6 shows the current status of risks identified against the SPF measures as of March 2026.
Table 2.6: Risks identified against SPF legislative measures as of March 2026
|
Measure |
Risk description |
Status |
Current stage |
|
Bank and digital platform — industry code |
None provided |
High risk |
Legislative drafting |
|
SPF rules |
Changes to policy specification |
High risk |
Legislative drafting |
|
Sectorsa — designation instrument |
None provided |
Medium risk |
Post consultation/finalising legislation |
|
SPF EDR authorisation instrument |
None provided |
On track |
Post consultation/finalising legislation |
Note a: Banking, digital platform and telecommunication sectors.
Source: ANAO presentation of Treasury’s Legislation Status Update report.
Treasury has considered costs and benefits of the SPF; however there is no plan to develop benchmark data that could support monitoring and evaluation
2.43 In October 2024, Treasury prepared an impact analysis in consultation with the Office of Impact Analysis (OIA) to support the government’s decision to establish the SPF.51 The OIA assessed the quality of the analysis in Treasury’s SPF impact analysis as ‘good practice’.
2.44 Treasury’s impact analysis for the SPF identified the likely regulatory burden on industry. Treasury identified an initial increased cost to business of $228.8 million in the first year and ongoing annual costs of $88 million a year. The average cost over 10 years was $102.1 million per year.52 Initial and ongoing cost for the three regulated sectors are identified in Table 2.7.
Table 2.7: Summary of Treasury’s impact analysis of regulatory burden on industry
|
Regulated sector |
Number of entities |
Initial cost ($m) |
Ongoing cost each year ($m) |
|
Banking |
132a |
100.9 |
31.8 |
|
Telecommunications |
445b |
22.0 |
14.1 |
|
Digital platforms |
21c |
106.0 |
42.1 |
|
Total |
598 |
228.8d |
88 |
Note a: This comprises: four major banks; 72 affiliated with Australian Banking Association or Customer Owned Banking Association; 40 non-affiliated AFCA members; and 16 non-affiliated, non-AFCA members.
Note b: This comprises: four major telecommunications companies; 18 medium carriage service providers (CSPs); 150 small CSPs; 241 very small CSPs; and 32 transit carriers/CSPs.
Note c: This comprises: five major Australian Online Scams Code (AOSC) platforms; two non-AOSC platforms; two medium AOSC platforms; and 12 non-AOSC medium platforms.
Note d: Treasury has a total of $228.8 million in its impact analysis. The total of the items in the table do not sum to this and this is due to rounding.
Source: ANAO summary from Treasury impact analysis on SPF.
2.45 The SPF cost-benefit analysis approach was assessed with a ‘break-even’ analysis, and the benefit of the framework is based on whether the implementation cost is less than the benefits of the SPF measured by the level of scam harm reduced by the SPF. Treasury identifies the broad requirement for the benefit to outweigh the cost to be a reduction of 7,028 scams, equivalent to a 4.6 per cent reduction of the $2.7 billion reported scam losses in 2023.53
2.46 There is a lack of defined benchmark data to justify the cost-benefit analysis. Treasury advised the ANAO in March 2026 that ‘the lack of relevant benchmarks is appropriate for the objective to provide a threshold for the policy to demonstrate value, and appropriate at the time, given the novelty of the regulatory approach and complexity in the ecosystem’.
2.47 The data underlying the $2.7 billion loss is based on sources for Scamwatch. These sources do not fully align with the potential sources identified by Treasury for possible performance measurement in the impact analysis (see paragraph 1.2 for Scamwatch data sources and Table 2.11 for impact analysis sources). Consistent baseline data supports embedding monitoring and evaluation activities into implementation planning (see paragraph 2.67). Treasury’s implementation planning does not include plans to develop benchmark data.
Opportunity for improvement
2.48 Treasury could consider developing a methodology to establish and measure the benefit of the SPF by agreeing benchmark data between entities involved in delivery. Treasury may wish to refine the methodology through consultation with industry.
Treasury has a stakeholder engagement strategy and consultation plans up until commencement of the SPF but these do not extend to the SPF in operation
2.49 The APS Framework for Engagement and Participation sets out how Commonwealth entities can ‘engage effectively with citizens, community and business’. It includes 10 standards to apply in engaging with stakeholders, as set out in Box 1.54
|
Box 1: Ten standards for engaging with stakeholders |
|
2.50 Table 2.8 below shows how Treasury’s engagement plan aligns with the standards in the APS framework for stakeholder engagement.
Table 2.8: Treasury’s engagement plan against standards in the APS framework for stakeholder engagement
|
Element of stakeholder engagement |
Treasury’s plan considers this element |
Referencea |
|
1 — objective defined |
Yes |
See paragraph 2.51 |
|
2 — right approach |
Yes |
See paragraph 2.58b |
|
3 — expectations |
Yes |
See paragraphs 2.59 to 2.62 |
|
4 — suitable participants |
Yes |
See paragraph 2.52c |
|
5 — transparency |
Yes |
See paragraphs 2.64 to 2.65 |
|
6 — sufficient information |
Yes |
See paragraph 2.59 to 2.62d |
|
7 — inclusive and diverse |
Yes |
See paragraph 2.58 |
|
8 — understand all views |
N/A |
N/A, not directly related to implementation planning |
|
9 — close the loop |
N/A |
N/A, not directly related to implementation planning |
|
10 — continuous improvements |
Yes |
See paragraphs 2.30, 2.57 and 2.64 to 2.65 |
Note a: Treasury’s plan considers all the relevant elements. ANAO analysis identified inconsistencies in documents identified below in notes b, c and d; however these are not considered material to assess whether consultation planning arrangements have been appropriate.
Note b: Treasury has conflicting departmental guidelines for stakeholder consultation timeframes; and these were not used to select the timeframes for the implementation consultation held in November 2025 to January 2026.
Note c: Internal stakeholders, such as law division are not referenced in plan.
Note d: Consultation held between November 2025 to January 2026 asked questions about redress, while Treasury’s stakeholder engagement plan considered financial redress.
Source: ANAO analysis.
2.51 Treasury documented its stakeholder engagement strategy to support planning for consultation in September 2025. The objectives identified in the document include:
- clearly communicating the SPF objectives and implementation timeline; and
- engaging with stakeholders in a way that builds trust, ensures alignment, manages risks and achieves solutions that are able to be implemented.
2.52 The strategy identifies stakeholders, for example government agencies, industry peak bodies, state and territory governments, legal advisers and stakeholders involved in the dispute resolution scheme.
2.53 The strategy document also identified key phases for consultation as of September 2025 (see Table 2.9).
Table 2.9: Key phases in Treasury’s working document for stakeholder engagement as of September 2025
|
# |
Phase |
Timing |
|
1 |
Government sets direction |
October/November 2025 |
|
2 |
Public consultation — designation instruments and code parameters |
November 2025 |
|
3 |
Confirm designations and SPF start timing |
January/March 2026 |
|
4 |
Public consultation — draft codes and rules |
March 2026 |
|
5 |
Confirm sector requirements |
June 2026 |
|
6 |
Acknowledge industry work on intelligence sharing |
June 2026 |
Source: ANAO summary from Treasury SPF Implementation — Stakeholder Engagement Strategy.
2.54 As shown in Table 2.9, the phases do not extend beyond June 2026. There is no planning for consultation that may be required to manage and report on risks of activities undertaken by the regulators after this date, for example those related to: ongoing administration of the framework; performance monitoring; and evaluation (see paragraphs 2.75 to 2.93).
Recommendation no.2
2.55 In order to be well placed to provide advice to the government on the effectiveness of the operation of the Scams Prevention Framework, the Department of the Treasury develop an ongoing stakeholder consultation plan. Consultation should include industry and consumer groups to test views of the quality of the regulation as a whole.
Department of the Treasury response: Agreed
2.56 Treasury’s plans, such as those in the project overviews for consumer redress and intelligence sharing rules include stakeholder engagement plans. These plans discuss the impact level of the stakeholder on delivery and requirements for engagement and communication.
2.57 In 2023 and 2024, Treasury opened public consultation rounds for the mandatory industry code and exposure draft legislation. Treasury’s impact analysis of the SPF reported on how feedback from the public consultations was incorporated into the policy design.
2.58 Treasury opened a public consultation round to consult on the exposure draft legislation for the SPF from 13 September 2024 to 4 October 2024.55 After the passage of the legislation in February 2025, Treasury ran a separate consultation round from 28 November 2025 to 5 January 2026, on the designation and authorisation instruments to implement the SPF and an SPF position paper.56 When involving stakeholders to check direction or seek ideas, Treasury’s stakeholder consultation principles recommend a 6 to 10 or 10 to 16 week timeframe, respectively. Treasury’s standard timeframes planning tool lists a four week period for consultation on draft subordinate legislation. Treasury advised the ANAO in March 2026 that ‘the timeframes for the consultation … was a decision of the Assistant Treasurer’.
2.59 The consultation position paper included:
- preliminary views about Australia’s scam landscape and sought feedback on how SPF codes and rules can be designed most efficiently; and align with existing regulatory frameworks;
- information that this was a preliminary consultation round and there would be other opportunities for stakeholders to provide comment on exposure draft codes and rules through public consultation in early to mid-2026; and
- requests for views from any interested party, and including stakeholders such as:
- those responsible for anti-scam measures; and
- consumers and businesses affected by scams.
2.60 The position paper included consultation questions about the different SPF principles; the questions focused on:
- consumer choice and personal information;
- governance, prevention, detection and disruption principles;
- actionable scam intelligence;
- the definition of the SPF consumer; and
- the ‘Respond’ principle57 that discussed:
- how codes and rules could encourage cooperation and timeliness in multiparty disputes;
- how codes and rules could assign liability and affect redress;
- evidence requirements;
- non-financial redress;
- addressing high-volume, low-value scam losses; and
- how codes could facilitate the EDR process.
2.61 Treasury released a list of questions on the exposure draft instruments:
- Competition and Consumer (Scams Prevention Framework — Regulated Sectors) Designation 2025; and
- Competition and Consumer (Scams Prevention Framework — External Dispute Resolution) Authorisation 2025.
2.62 Questions from the consultation focused on:
- how to ensure appropriate definitions of sectors for designation to capture the intended organisations;
- whether AFCA needed any other special conditions; and
- supporting good redress outcomes before EDR commencement.58
2.63 In February 2026 Treasury advised the ANAO that:
Government will communicate decisions about the finalisation of the SPF and acknowledge the contributions made from industry, consumers, regulators and AFCA. Treasury expects to continue to engage with key stakeholders across government and industry over the coming months, which will provide organic opportunities to discuss decisions around finalisation of the SPF and what feedback was and was not incorporated.
2.64 Treasury advised the government on 9 February 2026 about outcomes of the November 2025 to January 2026 consultation process. Treasury’s advice included that consultation had drawn ‘over 330 participants’ to an information session, Treasury had hosted ‘multiple bilateral meetings’ and 70 written submissions were received in response to the public consultation round. Based on the consultation, Treasury recommended updates to implementation activities.
2.65 On 20 February 2026, government agreed to updates to implementation activities based on feedback from the consultation process, in particular:
- clarifying the scope of the sector designations; and
- more engagement at senior levels to address stakeholder concerns about dispute resolution arrangements.
Treasury does not yet have appropriate arrangements to monitor, report and evaluate on whether the SPF has met its objectives
2.66 The Australian Government Guide for Policy Impact Analysis describes that an evaluation plan should answer the following questions:
- how well the policy was implemented;
- whether the policy was effective and efficient in achieving its intended outcomes; and
- whether the policy had differential impacts for different groups.59
2.67 The Australian Centre for Evaluation (ACE) in Treasury developed the Commonwealth Evaluation Policy, which applies to all Commonwealth entities subject to the PGPA Act. It provides a principles-based approach for conducting evaluation across the Commonwealth. The Commonwealth Evaluation Policy emphasises the importance of:
- ‘Plan[ning] to conduct fit for purpose monitoring and evaluation activities before beginning any program or activity. This includes identifying time-frames, resources, baseline data and performance information’; and
- using strategic risk-based approaches to identify, prioritise and schedule evaluation activities.60
2.68 The Commonwealth Evaluation Policy recommends planning for evaluation as early as possible in the cycle to enable data to be incorporated in the most cost-effective way.
2.69 Commonwealth entities are required to plan how an activity or program will be evaluated before an activity or program is implemented. ACE states this is to:
- meet implementation planning requirements in the Budget and Cabinet processes;
- meet policy requirements in the Impact Analysis Framework, the Charging Framework and the Commonwealth Grants Policy (where applicable);
- meet legislative requirements to measure, assess, and report on performance under the Commonwealth Performance Framework;
- strengthen program design and ensure the required data for performance monitoring and evaluation can be collected throughout implementation and aligned to existing data collections, where possible; and
- support decision making.61
2.70 Treasury’s departmental framework and tools for project management recommend that evaluation plans be considered during the planning stage of the project.
2.71 As steward of the SPF, Treasury has a role to ensure the long-term impacts of what it does, including the long-term integrity and sustainability of the SPF.62
2.72 Section 58GF of the SPF Act states that a review of the operation of the SPF provisions must be conducted as soon as practicable after three years of when the first SPF code is made.63 The review is to be tabled in the House of Representatives 15 days after the minister receives the report.
2.73 Section 58AA of the SPF Act outlines the objective of the SPF to ‘prevent and respond to scams’. The SPF impact analysis identified two more detailed objectives of the SPF. The first objective was to ‘reduce scams harm’. Treasury defines success for this objective as ‘a sustained reduction in number and size of reported scam losses by consumers’.64 The second objective was to ‘align benefits and costs of scam prevention’. Treasury defines success for this objective as a ‘reduction in scams taking place across services, as opposed to an aggregated reduction in one area of the economy’.65
2.74 Treasury does not have evaluation arrangements to assess whether the objectives have been met. Section 58GF sets out to review the legislation and not regulation of the SPF.
Treasury has not designed performance reporting arrangements to ensure that the SPF can be assessed against its objectives
2.75 Treasury tracks publicly available sources on scams (for example Scamwatch) and directly requests data from industry to monitor data and intelligence on scams. Publicly available sources are tracked and analysed on a dashboard. Treasury’s SPF working team monitors government, industry and other news on scams fortnightly.
2.76 Paragraph 58BD(1)(c) of the SPF Act states that regulated entities are required to develop and implement performance metrics and targets that measure the effectiveness of governance policies and procedures to combat scams.66 Treasury planning documents include consideration of potential metrics and targets that should be used by industry; these related to:
- scam detection and disruption;
- data sharing and reporting;
- compliance and enforcement;
- education and awareness; and
- IDR and EDR.
2.77 The requirement for regulated entities to have performance metrics and targets is referenced in plans for SPF rules.
2.78 Treasury advised the ANAO in February 2026 that there is no ‘mandatory reporting requirement’ for the performance measure in section 58BD. Treasury further advised ‘regulators or sector regulators may request a copy of the measures’ from the regulated entities and ‘how regulated entities report on the performance measures is … a matter for the regulators’.
2.79 Treasury’s planning arrangements do not consider performance measures that could be monitored by regulating entities to support evaluation of the SPF outcomes against its objectives. Treasury has not developed performance reporting to assess and publicly report on the impact of market intervention through the SPF in consultation with regulatory bodies.
2.80 The SPF Act Explanatory Memorandum states that the ‘legislation-making power also ensures there is sufficient flexibility for government to respond quickly to changing scams methods and trends’.67 Legislative instruments can be made and enforced, and additional sectors can be brought into the SPF. The SPF also introduces the idea of expanding the SPF coverage to other sectors, such as superannuation and cryptocurrency, after the SPF is in place.68 As steward of the SPF, Treasury should consider performance measures capable of informing government of the long-term impacts of the SPF.
2.81 There is no formalised arrangement between Treasury and the regulators to allow for effectively informing the government about the long-term operations of the SPF. Treasury and the Australian Taxation Office (ATO) have a protocol to work collaboratively on shared matters.69 One aspect of the protocol includes understanding the collective impact of government policy, which is ‘critical’ to ensuring the ‘achievement of desired strategic outcomes and to support a clear, evidence-based approach to policy decision making in context of the wider Government policy agenda’.70 It further outlines that Treasury and the ATO will work closely to establish roles, responsibilities and governance arrangements to maintain an agreed approach in monitoring and evaluating shared programs.
2.82 Individual regulator statement of expectations set by a minister are another way to provide greater clarity on whole-of-government objectives and expectations relevant to a regulator, including the policies and priorities it is expected to observe in conducting its operations.71 According to the Department of Finance’s guidance, ‘in line with a stewardship approach to regulatory reform, ministers, secretaries and heads of regulators are responsible for identifying and settling what are the regulatory functions within their portfolios’.72 Among other things, the statements of expectations should align regulatory ‘approach and implementation with the Regulatory Policy, Practice and Performance Framework’s principles in relation to the regulator’s role, regulatory posture, specific legislative objectives, functions, and environment’.73
Recommendation no.3
2.83 The Department of the Treasury develop a plan in consultation with the regulators and consumers to monitor and report on whether the SPF is operating as intended.
Department of the Treasury response: Agreed
Treasury has not yet established arrangements to support evaluation of SPF outcomes
2.84 The SPF Act Explanatory Memorandum for section 58GF outlines that the review will examine the operation of the SPF provisions.74 The review needs to take place three years after the first SPF code is made. Examples of areas the review may focus on are outlined in Table 2.10.
Table 2.10: Possible SPF statutory review areas of focus
|
Type |
Description |
|
Effectiveness |
Dispute resolution framework (IDR and EDR), the customer experience and role of AFCA. |
|
Penalty provision to deter contravention of the SPF. |
|
|
Impact |
SPF impact on Australian consumers and businesses. |
|
Other |
Other related legislation and regulatory initiatives, including emerging trends and developments internationally as they relate to the SPF. |
Source: ANAO summary of SPF Act Explanatory Memorandum.
2.85 Treasury advised the ANAO in February 2026, that the ACCC will be involved in evaluation of the SPF. It advised that the ACCC will be consulted to inform the development and approach of the statutory review.
2.86 The SPF impact analysis states that the evaluation of the SPF will be informed through established mechanisms and reports from agencies and regulators.75 The reports that could be potential sources of measures to inform evaluation, agency and regulators are summarised in Table 2.11.
Table 2.11: Reports and outcomes measured from agencies and regulators Treasury identified that could enable evaluation of SPF against intended objectives
|
Agency/regulator |
Report |
Outcome measured |
|
NASC |
Consumer and industry reports |
Information on consumer and industry reports about scams |
|
Australian Bureau of Statistics (ABS) |
Personal fraud report |
Exposure and victimisation to scams |
|
Australian Institute of Criminology (AIC) |
Cybercrime in Australia report |
Exposure and victimisation to scams |
|
Consumer access to reporting outlets and supporting networks |
||
|
ACMA |
Actions on scams, spam and telemarketing |
Detection and disruption activities by the private sector |
|
Treasury |
Australian consumer survey |
Exposure and victimisation to scams |
|
Reported losses to scams |
||
|
Scams consumer survey |
Consumer satisfaction with business policies and procedures relating to scams |
|
|
Consumer trust in the payments and communication system |
||
|
Consumer access to reporting outlets and supporting networks |
||
|
ACCC |
Targeting scams report, Scamwatch dashboard |
Reported losses to scams |
|
Reporting and information sharing on scam cases affecting consumers |
||
|
Quarterly report |
Detection and disruption activities by the private sector |
|
|
Digital platform service inquiry |
Assessment of quality in business anti-scam policies and procedures |
|
|
ATO |
Scam data |
Reporting and information sharing on scam cases affecting consumers |
|
ASIC |
Scam prevention, detection and response |
Assessment of quality in business anti-scam policies and procedures |
|
AFCA |
Annual review |
Consumer complaints to EDR systems |
Source: ANAO analysis of SPF impact analysis report.
2.87 Treasury’s impact analysis has identified how different organisations and sectors could be affected in terms of cost to industry (see paragraphs 2.43 to 2.48).
2.88 There are requirements related to performance measurement for regulated entities and review in the SPF Act, but there is no plan for evaluation of whether the SPF is meeting its objectives.
2.89 Treasury advised the ANAO in January 2026, that it ‘does not currently have an evaluation framework in place’ and that an evaluation framework will be developed to support the statutory review. Treasury advised the ANAO in February 2026, that the approach to the ‘statutory review will be considered post implementation of the SPF’. Planning for the statutory review at the earliest possible stage may increase the likelihood of success at the final evaluation.
2.90 In the SPF impact analysis, Treasury identified two objectives to address rising scams. The impact analysis provides outcome measures and reports from government agencies and regulators that can inform the SPF effectiveness against the objectives (see paragraph 2.73).
2.91 Treasury advised the ANAO in February 2026, that the sources identified in the impact analysis are consistent with the ‘expected sources of information Treasury will use to monitor and evaluate the outcomes of the SPF’. It further advised that it ‘regularly briefs Government on the progress of anti-scam initiatives against this data and similarly will use it in evaluating the SPF’. It has not advised whether the outcomes stated will be used to inform the evaluation of SPF against its objectives.
2.92 Treasury advised the ANAO in February 2026 that it ‘routinely monitors data and intelligence on scams’ and that it will ‘provide insight into whether the SPF is operating as intended and achieving its objective once implemented’. There is no plan for how evaluation will occur.
Recommendation no.4
2.93 The Department of the Treasury develop an evaluation plan to assess whether the Scams Prevention Framework (SPF) has met its objectives. The plan should consider the timing of the statutory review of the SPF and how it fits in with establishment of the framework in 2027 and the making of the first SPF Code.
Department of the Treasury response: Agreed
Appendices
Appendix 1 Entity response
Department of the Treasury
Appendix 2 Improvements observed by the ANAO
1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.
2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.
3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:
- strengthening governance arrangements;
- introducing or revising policies, strategies, guidelines or administrative processes; and
- initiating reviews or investigations.
4. As noted in paragraph 1.20, audit work concluded in mid-March 2026, so Treasury has had limited opportunity to make improvements during the course of the audit. In March 2026, Treasury advised the ANAO that, since the ANAO’s request for information about levels of engagement with the Australian Centre for Evaluation (ACE), the team has engaged with ACE. ACE has offered to discuss the SPF and provide resources on evaluation planning.
Footnotes
1 Global Anti-Scam Alliance, International Scammers Steal Over $1 Trillion in 12 Months in Global State of Scams Report 2024, GASA, 2024, available from https://gasa.org/knowledge-base/blog/global-state-of-scams-report-2024-1-trillion-stolen-in-12-months-gasa-feedzai [accessed 24 April 2026].
2 Australian Competition and Consumer Commission, Targeting Scams (2024), ACCC, Canberra, 2025, available from https://www.nasc.gov.au/system/files/targeting-scams-report-2024.pdf [accessed 27 January 2026].
3 Department of the Treasury, Scams Prevention Framework, Treasury, Canberra, 2025, p. 1, available from https://treasury.gov.au/sites/default/files/2025-01/p2 025-623966.pdf [accessed 4 May 2025].
4 Australian Consumer and Competition Commission, Scams, ACCC, available from https://www.accc.gov.au/consumers/stay-protected/scams [accessed 24 February 2026].
5 Scamwatch is described as a ‘detailed data source that includes information about scam types, victims, communication and payment methods, and reporters’ and victims’ backgrounds. Approximately 90.0% of reports to Scamwatch are from people who have not suffered a financial loss’.
ACCC, Targeting Scams (2024), p. 21.
6 The scale of losses may be larger. ACCC reported that in 2022–23, ‘approximately 30 per cent of people who experienced a scam did not report it’.
ibid., p. 34.
7 ReportCyber is a cybercrime reporting platform hosted by the Australian Cyber Security Centre within the Australian Signals Directorate. See ACCC, Targeting Scams (2024), p. 32 for more information.
8 IDCARE is an Australian and New Zealand’s national identify and cyber support service, it is a registered charity that receives government funding and funded by its subscribers. See ACCC, Targeting Scams (2024), p. 32 for more information.
9 AFCX is an independent, not-for-profit company, it provides a platform for organisation to share and gain operational data and insights from one another. See ACCC, Targeting Scams (2024), p. 33 for more information.
10 Australian Securities and Investment Commission, Reports of misconduct data, ASIC, available from https://www.asic.gov.au/about-asic/corporate-publications/reports-of-misconduct-data/ [accessed 2 June 2026].
11 Australian Taxation Office, Scam Data, ATO, Canberra, 2026, available from https://www.ato.gov.au/online-services/scams-cyber-safety-and-identity-protection/scam-data [accessed 2 June 2026].
12 Australian Institute of Criminology, Cybercrime in Australia 2024, AIC, 2025, available from https://www.aic.gov.au/sites/default/files/2025-08/sr53_cybercrime_in_australia_2024_v2.pdf [accessed 2 June 2026].
13 Australian Communications and Media Authority, Action on scams, spam and telemarketing, ACMA, 2026, available from https://www.acma.gov.au/action-spam-and-telemarketing [accessed 2 June 2026].
14 Australian Financial Complaints Authority, Annual Review 2024-25, AFCA, 2025, available from https://www.afca.org.au/about-afca/annual-review [accessed 2 June 2026].
15 Australian Bureau of Statistics, Personal Fraud, ABS, Canberra, various years, available from https://www.abs.gov.au/statistics/people/crime-and-justice/personal-fraud [accessed 24 February 2026].
16 Australian Labor Party, Fighting online scams: families and small business will be safer online under an Albanese Labor Government, Parliament of Australia, available from https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;page=0;query=Fighting%20online%20scams;rec=0;resCount=Default [accessed 23 February 2026].
17 National Anti-Scam Centre, How we’re run, NASC, available from https://www.nasc.gov.au/what-we-do/how-were-run [accessed 27 January 2026].
18 Australian Government, Budget Paper No. 2: Budget Measures 2023–24, Commonwealth of Australia, Canberra, 2023, p. 211, available from https://archive.budget.gov.au/2023-24/bp2/download/bp2_2023-24.pdf [accessed 5 June 2025].
19 Australian Government, Budget Paper No. 2: Budget Measures 2025–26, Commonwealth of Australia, Canberra, 2025, p. 76, available from https://archive.budget.gov.au/2025-26/bp2/download/bp2_2025-26.pdf [accessed on 6 May 2025].
20 ACCC, Targeting Scams (2024).
21 Australian Government, Budget Paper No. 2: Budget Measures 2024–25, Commonwealth of Australia, Canberra, 2024, p. 180, available from https://archive.budget.gov.au/2024-25/ [accessed 24 February 2026].
22 Scams Prevention Framework Act 2025, subsection 58AA.
23 Treasury has published a document called the Scams Prevention Framework that describes the SPF.
Treasury, Scams Prevention Framework, p. 1.
24 Scams Prevention Framework Act 2025, subsection 58AG(1).
25 ibid., subsections 58AG(1) and 58AH(1).
26 Explanatory Memorandum, Scams Prevention Framework Bill 2024, paragraphs 1.80 and 1.81.
Treasury has advised the ANAO in May 2026 that ‘some activities may be excluded from being a scam’ as the SPF rules have not been made yet.
27 Treasury, Scams Prevention Framework, p. 7.
28 Scams Prevention Framework Act 2025, section 58AC.
29 Treasury, Scams Prevention Framework, p. 1.
30 Office of Impact Analysis (OIA), Impact Analysis Scams Prevention Framework, Department of the Prime Minister and Cabinet, 2024, pp. 14, available from https://oia.pmc.gov.au/sites/default/files/posts/2024/11/Impact%20Analysis_3.pdf [accessed 2 February 2026]
31 ibid., pp. 14-15
32 The Australian Financial Complaints Authority is a non-governmental authority that provides independent dispute resolution for financial complaints and was established in November 2018.
33 Treasury advised the ANAO in March 2026, that timing remains subject to Government decision.
34 Scams Prevention Framework Act 2025, sections 58BR, 58BT and 58BY.
35 Department of the Treasury, Scams Prevention Framework: Summary of Reforms, Treasury, Canberra, 2024, p. 8, available from https://treasury.gov.au/sites/default/files/2024-09/c2024-573813-summary.pdf [accessed 8 January 2026]
36 If consumers are not satisfied by the outcome of an organisation’s internal dispute resolution process, then they can go through the external dispute resolution process provided by AFCA. The Framework applies a ‘no wrong door’ policy to allow consumers to go through the internal dispute resolution of any organisation connected with the scam.
37 Australian Government, Mid-Year Economic and Fiscal Outlook 2024–25, Commonwealth of Australia, Canberra, 2024, p. 13, available from https://archive.budget.gov.au/2024-25/myefo/download/myefo2024-25.pdf [accessed 5 June 2025].
38 Treasury, Scams Prevention Framework, p. 6.
39 Office of Impact Analysis, Australian Government Guide to Policy Impact Analysis, Department of the Prime Minister and Cabinet, Canberra, 2023, available from https://oia.pmc.gov.au/sites/default/files/2024-01/australian-government-guide-to-policy-impact-analysis.pdf [accessed 3 June 2024].
40 ibid., pp. 39–40.
41 Australian Public Service Academy, Delivery Great Policy Model — Practical to implement, APS Academy, Canberra, 2025, available from https://www.apsacademy.gov.au/aps-craft/strategy-policy-evaluation/delivering-great-policy/practical-implement [accessed 25 February 2026].
42 Public Governance, Performance and Accountability Act 2013, section 38; and Public Governance, Performance and Accountability Rule 2014, subsection 16F(2).
43 Public Service Act 1999, subsection 10(6).
44 See ‘key messages for the sector’, Auditor-General Report No. 25 2025-26, Administration of the Age Pension, ANAO, Canberra, 2026, paragraph 22, available from https://www.anao.gov.au/work/performance-audit/administration-of-the-age-pension [accessed 27 March 2026].
45 OIA, Australian Government Guide to Policy Impact Analysis, p. 40.
46 ibid., p. 41.
47 Department of the Treasury, Annual report 2024-25, Treasury, 2025, p. 25, available from https://treasury.gov.au/sites/default/files/2025-10/p2 025-710797-ar.pdf [accessed 2 February 2026].
48 ACMA is separate from the Department of the Treasury portfolio, it is in the Department of Infrastructure, Transport, Regional Development, Communications, Sport and the Arts portfolio.
49 ‘Quarter’ refers to a calendar year quarter.
50 Public Governance, Performance and Accountability Act 2013, sections 16 and 19.
51 OIA, Impact Analysis SPF.
52 The annual increase is calculated by adding the initial cost ($228.8 million) and ongoing cost ($88 million) multiplied by the numbers of years remaining ($88 million x 9 years) divided by the total number of years (10 years).
53 The impact analysis states that ‘scam losses in Australia may be expected to change in the future under Option 1 - status quo. If the number of scam victims would rise under the status quo (as is likely given assessment outlined in the Section 1) this percentage represents an overestimate of the reduction in scam losses required to result in a net benefit’.
OIA, Impact analysis SPF, p. 35.
54 Australian Public Service Commission, Getting stakeholder engagement right, APSC, Canberra, 2024, available from https://www.apsc.gov.au/initiatives-and-programs/aps-mobility-framework/taskforce-toolkit/stakeholder-engagement/getting-stakeholder-engagement-right [accessed 24 March 2026].
The APSC guide also states that ‘successful stakeholder engagement involves adapting your approach for each stakeholder’ to identify and map out stakeholders to develop an engagement plan; and execute the engagement plan in a considered and transparent way.
55 Department of the Treasury, Consultation: Scams Prevention Framework — exposure draft legislation, Treasury, Canberra, available from https://treasury.gov.au/consultation/c2024-573813 [accessed 25 February 2026].
56 Department of the Treasury, Consultation: Scams Prevention Framework — Draft law package and position paper, Treasury, Canberra, available from https://consult.treasury.gov.au/c2025-715201 [accessed 25 February 2026].
Department of the Treasury, Advancing Australia’s Scams Prevention Framework through Codes and Rules: Position Paper, Treasury, Canberra, 2025, available from https://storage.googleapis.com/files-au-treasury/treasury/p/prj38c41037eb554b881caef/page/c2025_715201_pp.pdf [accessed 10 March 2026].
The consultation package includes draft instruments to designate the three industry sectors and AFCA, explanatory notes, consultation questions and a position paper.
57 The ‘Respond’ principle is one of the six overarching principles that define the obligations set under the SPF. It refers to how regulated entities must have a mechanism for consumers to report scams or complain about how a regulated entity has acted in relation to a scam. See Treasury, Advancing Australia’s SPF through Codes and Rules: Position Paper, p. 18, for more detail.
58 Department of the Treasury, Scams prevention framework: Consultation questions on exposure draft instruments, Treasury, Canberra, available from https://storage.googleapis.com/files-au-treasury/treasury/p/prj38c41037eb554b881caef/page/c2025_715201_cq.pdf [accessed 25 February 2026].
59 OIA, Australian Government Guide for Policy Impact Analysis, p. 41.
60 Australian Centre for Evaluation, Commonwealth Evaluation Policy, Treasury, Canberra, available from https://evaluation.treasury.gov.au/about/commonwealth-evaluation-policy [accessed 20 January 2026].
61 Australian Centre for Evaluation, Before implementation, Treasury, Canberra, available from https://evaluation.treasury.gov.au/toolkit/when-evaluate/before-implementation [accessed 20 January 2026].
62 Australian Public Service Commission, Stewardship guidance, APSC, Canberra, available from https://www.apsc.gov.au/working-aps/information-aps-employment/aps-valu… [accessed 25 February 2026].
63 Scams Prevention Framework Act 2025, section 58GF.
64 OIA, Impact Analysis SPF, p. 14.
65 ibid.
66 Scams Prevention Framework Act 2025, paragraph 58BD(1)(c).
67 Explanatory Memorandum, Scams Prevention Framework Bill 2024, paragraph 1.33.
68 Treasury, Scams Prevention Framework, p. 6.
69 Shared matters refer to the Australian tax system, and some aspects of the superannuation, foreign investment and registry systems. See Australian Taxation Office, ATO-Treasury Protocol, ATO, available from https://www.ato.gov.au/about-ato/new-legislation/ato-and-treasury-roles/ato-treasury-protocol [accessed on 10 March 2026].
70 ibid.
71 Department of Finance, Guidance Note, Finance, Canberra, 2025, available from https://www.finance.gov.au /government/managing-commonwealth-resources/regulator-performance-rmg-128/guidance-note [accessed on 2 June 2026].
72 ibid.
73 ibid.
74 Explanatory Memorandum, Scams Prevention Framework Bill 2024, paragraphs 1.597 to 1.600.
75 OIA, Impact Analysis SPF, p. 45.