Scam lessons from AFCA: How Licensees can seek to reduce liability in a new era of fraud

It wasn’t long ago that someone would receive an email in their inbox saying they had received a large inheritance from the prince of a foreign land and immediately know it was a scam. These days, as technology races ahead and AI keeps getting smarter, it’s becoming much trickier for the average Aussie to spot a scam before it’s too late. Scammers are stepping up their game with crafty tricks like spoofed SMS messages, deepfake voices that sound just like your mate, and clever social engineering to play on our natural sense of trust.

Whilst in the past, it was the customers’ fault if they fell victim to a scam, this is no longer always the case. Recent AFCA decisions and the impending rollout of the Scams Prevention Framework have significant implications for financial institutions, making it clear that businesses must take proactive steps to prevent and respond to scams.

The current landscape

Scams are no longer a “fringe issue” – they’ve become a significant compliance and reputational threat for financial services businesses across Australia. Criminals are getting sneakier, targeting individuals rather than just systems, and their tactics are costing Aussies billions every year.

Recent AFCA data highlights the scale of the problem. In the 2023–24 financial year, AFCA received 10,440 scam-related complaints, with personal transaction accounts and credit cards most commonly involved. Although there was a slight drop in scam-related complaints for the 2024–25 financial year, AFCA continues to receive on average nearly 500 complaints each month. It’s likely these figures underestimate the true size of the issue, as many victims never formally report their losses.

AFCA’s 2024–25 Annual Review identified several common scam types: buying and selling scams on platforms like Facebook Marketplace; impersonation scams where fraudsters pretend to be from banks, government agencies, telcos, or online services; and business email compromise scams involving large payments. These email scams are particularly damaging, with criminals intercepting genuine communications to alter payment details or using near-identical email addresses to divert funds.

While most scam-related complaints centre around traditional financial products, the risk landscape is rapidly shifting. Many digital asset service providers – an industry especially vulnerable to scams – aren’t currently required to become AFCA members. However, recent updates to ASIC Information Sheet 225 and proposed Treasury reforms mean more digital asset businesses will soon need an AFSL, which for retail service providers, also means becoming an AFCA member. As a result, scam-related complaint numbers are expected to climb.

AFCA’s expanding role under the Scams Prevention Framework

The regulatory landscape shifted dramatically with the passing of the Scams Prevention Framework in February 2025. This legislation is intended to make AFCA the single external dispute resolution scheme for scam-related complaints, covering telecommunications and digital platforms providers, in addition to financial firms that are already AFCA members. Importantly, the Framework will establish clear obligations for banks, telecommunications providers and digital platforms to prevent, detect, disrupt, report and respond to scams.

Following consultation in May and June 2025, AFCA will have an expanded jurisdiction from 12 March 2026 allowing it to consider complaints lodged against receiving banks in a scam-related complaint, as well as scam-related complaints lodged in relation to the opening of an account in a person’s name without their consent. This expansion of AFCA’s jurisdiction seeks to increase receiving banks’ accountability, enhancing transparency in tracking scammed funds.

AFCA’s fairness jurisdiction: Beyond legal compliance

Perhaps the most significant feature of AFCA’s approach to dispute resolution is its broad fairness jurisdiction. AFCA assesses not just whether a financial firm complied with the law, but whether it acted fairly and reasonably in the circumstances. Relying solely on contractual terms, disclaimers or the ePayments Code is, therefore, not without risk.

This approach can result in findings against financial firm’s even when customers appear to have voluntarily disclosed information, particularly where financial firms fail to act on red flags or had opportunities to prevent loss.

This is no more evident than last years’ HSBC AFCA determination, which is a good example of AFCA’s expectations and approach.

In the HSBC case, a customer lost nearly $50,000 after receiving a spoofed SMS about a $740 Amazon transaction. Notably, the fake message appeared within the same legitimate text thread as previous bank communications, giving it an authentic look. The message included a 1300 number, which the customer called – unaware they were contacting a scammer and not the bank.

The scammer manipulated the customer into disclosing two six-digit passcodes, enabling the fraudulent transaction. HSBC argued that the customer had breached the ePayments Code by “voluntarily” disclosing the passcodes. However, AFCA found otherwise, determining that the disclosure was not voluntary as the scammer’s tactics created both coercion and urgency. The outcome: HSBC was ordered to reimburse the loss, pay interest, contribute $5,000 in legal costs, and pay $1,000 for non-financial loss.

This decision is significant as it challenges the long-standing assumption that customers bear primary responsibility for scam losses.

Whilst the HSBC determination demonstrated circumstances where AFCA found in favour of the complainant, more recent AFCA determinations outline how financial firms can seek to reduce their liability by ensuring they are complying with their obligations.

So what next?

To meet AFCA’s expectations and reduce the risk of being implicated in scam-related losses, licensees should embed the following practices:

Strengthen fraud detection and monitoring. Licensees should consider investing in advanced technology that flags suspicious transactions early. Real-time monitoring, two-factor or multi-factor authentication, and sophisticated anomaly detection systems are now considered baseline requirements. Behavioural analytics can help identify emerging scam patterns, and businesses must ensure their systems are robust enough to intervene before funds leave customer accounts.

Enhance Internal Dispute Resolution (“IDR”) processes. AFCA expects firms to prioritise resolution over an adversarial stance. Complaints that drag on or rely heavily on technicalities often draw criticism. Ensure your IDR team is well-trained to handle scam complaints with empathy and efficiency, and is across AFCA’s Factsheets relating to scam complaints (for example, AFCA’s EDR Response Guide – Scam – Authorised Transactions) and that they comply with ASIC’s guidance on dispute resolution.

Educate customers. Consumer education is a shared responsibility. Provide clear, accessible warnings about common scams, update your website regularly, and use multi-channel alerts to reach a wider audience.

Embed scam risk into compliance frameworks. Scam risk should be fully integrated into your enterprise risk management program. Regularly review and test controls, conduct scenario testing, and ensure that the Board is actively engaged in overseeing scam risk management.

Report and remediate systemic issues. If you identify a recurring problem or systemic vulnerability, act quickly. Notify ASIC as required and implement corrective measures. AFCA is required to identify and report to regulators businesses that ignore or fail to address systemic issues, and such failures can lead to regulatory escalation and increased liability.

Regulatory outlook: What’s on the horizon?

The regulatory environment is tightening. AFCA’s ongoing work with government following the Scams Prevention Framework signals an increased focus on a licensee’s responsibility to prevent scams. ASIC, too, is increasing its enforcement activity – illustrated by its action against HSBC for systemic failures to prevent spoofing scams, with allegations of $23 million in customer losses across 950 reports.

Licensees should brace for:

• stronger requirements for real-time scam prevention and detection systems
• greater scrutiny of customer education initiatives
• additional requirements relating to scam-related incidents under the Scams Prevention Framework.

The bottom line

AFCA’s message is unambiguous: scams are a shared problem, and fairness – not just technical compliance – is the benchmark against which businesses will be judged. For Australian financial services licensees, this means moving beyond legalistic defences to embrace proactive risk management and robust customer care.

By learning from AFCA’s recent published determinations, both in favour and not in favour of licensees, and aligning your operations with its evolving expectations, you can seek to protect your business from liability and foster trust with your customers in an increasingly challenging environment.

Require further assistance?

Author: Josh Wigney (Associate)