What the Scams Prevention Framework Is
Scams have grown into one of the largest sources of financial harm in Australia, costing consumers and businesses billions and eroding trust in the everyday channels — calls, texts, emails, platforms — that commerce depends on. The government's answer is the Scams Prevention Framework (SPF), a piece of legislation widely described as one of the toughest anti-scam regimes in the world.
Its core idea is a shift in responsibility. For years, the burden of avoiding scams fell almost entirely on the victim. The SPF moves that burden onto the organisations best placed to stop scams at scale: it makes banks, telecommunications providers and digital platforms legally accountable for a chain of duties — to prevent, detect, disrupt, respond to and report scams — rather than treating fraud as purely the customer's problem.
The teeth are significant. Breaches can attract civil penalties of up to $50 million per contravention. Oversight is split across regulators: the ACCC is the general regulator, ASIC oversees banks, and the ACMA oversees telcos.
$50M
Max penalty per breach
3
Sectors: banks, telcos, platforms
1 Sep
2026 — rules commence
ACMA
Telco regulator
Why Australia Went This Hard
The scale of the harm made a light-touch approach untenable. Scammers had learned to exploit the seams between industries — a text that impersonates a bank, a call that spoofs a telco number, a fake listing on a platform — knowing that no single player felt fully responsible for the whole journey. By imposing a coordinated set of duties across banks, telcos and platforms simultaneously, the SPF is designed to close those seams.
There is also a consumer-redress dimension. Reporting around the framework has pointed to mechanisms such as an automatic reimbursement threshold for smaller verified losses — the principle being that if the regulated entities fail in their duties, customers should not be left to absorb the loss alone. Whatever the final detail, the direction is clear: accountability is being pushed up the chain, to the organisations with the tools to act.
The framework reframes scams from "buyer beware" to "provider be responsible". For legitimate businesses, that's ultimately protective — but it raises the bar for proving you are who you say you are. — The shift the SPF represents
The Telecommunications Code
Sitting beneath the overarching framework are sector-specific codes, and the one that matters most for communications is the Telecommunications Code — the instrument, made by the Minister for Communications, that spells out the telco-specific obligations. Draft rules and sector codes were released in 2026 ahead of commencement.
For telcos and messaging providers, the Telco Code translates the framework's broad duties into concrete expectations around things like verifying the identity of senders, tackling number spoofing and scam SMS, sharing scam intelligence, and acting on scams they detect. This is the same regulatory current that produced the SMS Sender ID Register — and it is why identity and verification are suddenly central to how business messages are treated.
Key Dates You Need to Know
- 1 July 2026 — The SMS Sender ID Register becomes mandatory; unregistered branded texts start showing as "Unverified". Businesses using Australian numbers or branded SMS face stricter identity checks.
- 1 September 2026 — The Scams Prevention Framework rules commence.
- 31 March 2027 — Key obligations on regulated banks, telcos and platforms apply, backed by penalties up to $50 million per contravention.
The staggered timeline is deliberate: the visible consumer-facing changes (like the "Unverified" label) arrive first, while the heavier institutional duties phase in, giving regulated entities time to build the systems the framework demands.
How It Connects to the SMS Sender ID Changes
If you have already noticed texts arriving marked "Unverified", you have met the SPF's world in practice — even if you did not know its name. The SMS Sender ID Register and the Scams Prevention Framework are two parts of one coordinated push:
- The Sender ID Register is the specific mechanism that stops SMS impersonation, by requiring branded sender IDs to be registered and flagging the rest as "Unverified".
- The Scams Prevention Framework is the broader legal structure that places enforceable, penalty-backed duties on telcos (and banks and platforms) to prevent and respond to scams across the board.
The common thread is verified identity. Both regimes are, at heart, about making sure that when a message or call claims to be from a particular organisation, it verifiably is. For businesses, that means the era of casually spoofable sender names and untraceable messaging is ending — and being demonstrably who you say you are is now a competitive and compliance asset.
The one thing to internalise
Every 2026 rule — the Sender ID Register, the "Unverified" label, the Telco Code — points the same way: verified, recognisable identity is becoming mandatory across all your customer channels.
Does It Apply to My Business?
Here is the honest, non-alarmist answer. The direct legal obligations of the SPF fall on regulated entities in three sectors: banks, telecommunications providers and major digital platforms. If you run a clinic, a trades business, a retail shop or a professional practice, you are almost certainly not a regulated SPF entity, and you are not personally facing $50 million penalties.
But you are affected in practice, in two ways:
- Your providers' duties flow down to you. Your bank, telco and platforms now carry legal obligations, which means they will apply stricter identity and verification checks to how you use Australian numbers and branded SMS. That is why, from 1 July 2026, using a business number or a branded sender ID comes with tighter requirements.
- Trust becomes a differentiator. As consumers are trained to distrust "Unverified" senders and unrecognised numbers, businesses that communicate with clear, verified identity will simply be believed — and those that don't will be quietly ignored.
What Businesses Should Do Now
- Use verified, recognisable identity everywhere. Send SMS from a recognised business number or a registered sender ID, and make sure your caller ID presents correctly.
- Keep your ABR details current. Sender ID registration and identity checks lean on your Australian Business Register information — stale details cause friction.
- Choose an Australian, ACMA-compliant provider. A provider whose own obligations align with the new rules does much of the compliance heavy lifting for you.
- Consolidate your channels. Fewer, well-managed communication channels are far easier to keep verified and consistent than a sprawl of ad-hoc tools.
- Educate your team. Make sure staff understand why messages must come from approved, verified identities — not a personal phone or an unregistered app.
How Uniden Voice Helps You Stay Compliant
Uniden Voice Over Cloud is an Australian-owned, Australian-hosted communications provider built for exactly this environment — where verified identity and provider accountability are the new normal.
Verified by design
Calls and SMS go out from your recognised business number — not spoofable names or unregistered apps.
ACMA-aligned Australian provider
Our obligations move in step with the new rules, so compliance isn't left entirely on your desk.
Onshore data & hosting
Your customer conversations stay in Australia, on Australian systems.
One consistent identity
Calls and texts on one number and platform — easy to keep verified and consistent.
Local support that knows the rules
An Australian team who can explain what each change means for you, in plain English.
Modern & future-ready
AI call handling and verified messaging, built for where communications regulation is heading.
The Scams Prevention Framework marks a permanent shift: identity and accountability are now built into the rules of Australian communication. Businesses that lean into verified, recognisable identity — and pick a provider aligned with the new regime — will find the transition easy and, increasingly, an advantage. For the SMS-specific side of this story, see how Uniden Voice keeps your business texts verified.
Frequently Asked Questions
What is Australia's Scams Prevention Framework?
The SPF is legislation, described as one of the toughest anti-scam regimes in the world, making banks, telcos and digital platforms legally accountable for preventing, detecting, disrupting and responding to scams, backed by civil penalties up to $50 million per contravention. The ACCC is general regulator, ASIC oversees banks and the ACMA oversees telcos.
When does the Scams Prevention Framework take effect?
The rules commence from 1 September 2026, with key obligations on regulated businesses applying from 31 March 2027. It works alongside the SMS Sender ID Register, mandatory from 1 July 2026, so related changes like the "Unverified" label are already visible.
Does the Scams Prevention Framework apply to my business?
The direct legal duties fall on regulated banks, telcos and major platforms. Most ordinary businesses aren't regulated SPF entities, but they're affected in practice because identity and verification standards for using Australian numbers and branded SMS are tightening.
How does the framework relate to the SMS Sender ID Register?
They're part of the same anti-scam push. The Sender ID Register tackles SMS impersonation by requiring registration and labelling unregistered senders "Unverified"; the SPF is the wider legal structure placing enforceable duties on telcos and others. Both centre on verified identity.
How can businesses stay on the right side of the new rules?
Use verified, recognisable identity across every channel, send SMS from a recognised business number or registered sender ID, keep ABR details current, and choose an Australian, ACMA-compliant provider. Consolidating calls and messaging onto one trusted platform makes staying compliant far easier.
What to Read Next
The Scams Prevention Framework touches everything about how your business communicates. These guides help you get ready.


