How Australia is rewriting the rules on scams

Authorised payment fraud is hitting Australians hard. It’s fast, sophisticated, and it’s growing. In 2023, scams cost consumers more than $2 billion—with most losses happening after customers were tricked into sending money themselves. And until now, the system’s response has been inconsistent at best.

That’s changing. Australia is bringing in a new wave of regulation that puts scams squarely on the industry’s shoulders. The message is clear: it’s time to shift from “buyer beware” to “bank prepared.”

Banks—big or small—are expected to step up. With stronger controls. Smarter friction. And clearer responsibility when things go wrong.

Here’s what’s changing, and what it means for you.

A mandatory scam code, backed by law

The Scam Prevention Framework is now law. It gives the ACCC the power to introduce mandatory scam codes across sectors—starting with banking. These codes will set minimum requirements for how banks detect, disrupt, and respond to scams.

It’s not just about stopping fraud. It’s about how banks handle complaints, how they support victims, and—crucially—when they reimburse losses.

The code is coming in 2025. But the expectations are already here. ASIC wants board-level oversight, dedicated scam strategies, and faster response teams. APRA is tying scam risk to operational resilience. And the ACCC has made it clear: if banks don’t act, they’ll regulate harder.

The Scam Safe Accord: setting the pace before it’s mandatory

While the government builds the code, banks are moving. The Scam Safe Accord—launched by the Australian Banking Association and Customer Owned Banking Association—is a voluntary commitment with serious weight behind it.

Most major and community banks have signed on. Together, they’ve committed to six high-impact protections, including:

Confirmation of Payee—A national system to check account names before payments go out. If the name doesn’t match, the customer sees a clear warning—or the payment gets paused.

Biometric onboarding—By the end of 2024, opening a new online account will require biometric ID, like facial recognition or liveness detection. No shortcuts.

Smarter friction—First-time payments, crypto transfers, and large amounts now come with built-in delays and context-aware alerts. Because sometimes, slowing down is what saves the day.

Fraud data sharing—All participating banks now tap into shared intel via AFCX and FRX. If a scam hits one institution, others get the alert in real time.

Crypto controls—Transfers to high-risk destinations like unregulated exchanges are getting extra scrutiny, caps, or blocks.

Dedicated scam teams—Staff are trained to spot the signs early and support customers under pressure. It's no longer just about catching fraud—it’s about preventing trauma.

Together, these steps form a baseline that many banks are already implementing ahead of schedule. The future scam code will likely build on this—so taking action now means less scrambling later.

A new take on liability and reimbursement

Historically, if a customer approved the payment—even under duress—it wasn’t considered fraud. That meant no automatic reimbursement. But that’s changing.

The upcoming scam code will give customers clearer rights to challenge losses and demand accountability. If a bank ignored red flags, failed to implement industry-standard checks, or left known vulnerabilities exposed—it could be on the hook for the loss.

Many banks are already adapting. Some are offering conditional reimbursement for impersonation scams. Others are clarifying their loss policies and improving support flows for victims. And the Australian Financial Complaints Authority (AFCA) is increasingly siding with customers in scam disputes.

What matters now isn’t just whether a scam happened—but whether the bank could have done more to stop it.

What this means for community banks

Big banks aren’t the only ones in scope. Community banks face the same risks, and the same expectations. But the good news? They don’t have to go it alone.

Through the Scam Safe Accord and industry partnerships, smaller banks now have access to shared fraud infrastructure, biometric tools, and coordinated scam intelligence. That makes it possible to deliver big-bank protection—without a big-bank budget.

And there’s no need to reinvent the wheel. For community banks, it’s about focusing on three moments that matter most: login, session, and payments.

It starts at login. This is where trust is established—or lost. The strongest players have already moved beyond passwords. They use biometric authentication to onboard new users, bind trusted devices, and detect when something doesn’t feel right.

The next weak spot is the session itself. A clean login doesn’t guarantee a safe experience. Social engineers often guide victims in real time—telling them what to click, where to look, how to respond. That’s why it's critical to continue to monitor in-session behavior using subtle, privacy-preserving cues. Movement patterns, typing rhythms, navigation flow. The goal is simple: know when a customer is being manipulated, and step in fast.

Then come payments—the moment that matters most. This is where the money moves, and where recovery often isn’t an option. Enlace has helped banks build real-time defences that actually work: Confirmation of Payee, smart prompts, and context-aware step-ups. From what we’ve seen, this is where you stop scams before they land. Spot payments that feel off, or follow patterns we’ve seen before. And when you need to slow things down, say so—clearly. Customers get it. Trust isn’t lost in a delay. It’s earned there

None of this is theory. We’ve built it. We’ve seen it work. And we’ve seen what happens when it’s missing.

What’s next—and why it matters

Here’s the roadmap.

The Scam Safe Accord is live now. Most of its protections will be in place by the end of 2024. The official scam code lands in 2025. Enforcement, compliance checks, and penalties will follow.

That gives banks a window—but not a pass.

The smartest banks aren’t waiting. They’re investing in smarter controls, reviewing fraud processes, and building trust by design. Not just because the law says so—but because customers are watching. And because the cost of doing nothing is far higher than the cost of getting it right.

Scams are evolving. So is regulation. But with the right tools and the right mindset, banks can stay one step ahead.

The insights in this post are based on industry research, conversations with Australian banks and fraud prevention experts, as well as our own experience. The content is for general information only and not intended as legal, financial, or technical advice. While Enlace strives for accuracy, the information may not reflect the latest developments.