Overview
One of the most important phrases throughout Australia’s Scams Prevention Framework (SPF) is also one of the least defined: “reasonable systems and processes.”
The SPF does not prescribe exactly what tools organisations must use or how they must structure their scam prevention programme. Instead, it requires regulated entities to have reasonable systems, processes and resources in place to meet their obligations.
That might sound straightforward, but it raises an important question: what does “reasonable” actually mean?
For boards, compliance teams, risk leaders and security teams, this is likely to become one of the most important parts of the framework. It’s not enough to simply have a policy, a spreadsheet or an inbox where incidents are reported. Organisations need to be able to show they have effective processes for preventing, detecting, investigating and disrupting scam activity.
As the SPF moves closer to commencement, understanding how regulators are likely to assess reasonableness is critical. The answer goes beyond documentation. It includes how organisations monitor for threats, investigate suspicious activity, respond to incidents and continuously improve their approach as scam threats evolve.
What Does "Reasonable" Mean in Practice?
The SPF does provide some guidance on how reasonableness is likely to be assessed in practice.
Under the draft SPF Codes, regulators must consider a number of factors when determining whether an organisation’s systems and processes are reasonable. These include:
- The type and scale of services provided and the scam history associated with those services.
- The types of consumers who use the service and their risk profile.
- How the services are delivered.
- Current and emerging scam threats affecting the sector.
- Whether the organisation's investment in compliance is proportionate to the size and nature of its services.
- Whether contemporary technologies are being used to counter scam threats.
- The presence of mechanisms for continuous improvement.
- Consistency with relevant industry standards and practices.
- The potential loss or harm that consumers could suffer if scam activity occurs.
Taken together, these factors show that reasonableness is not determined by a single policy, control or technology. Instead, organisations are likely to be assessed on their overall approach to scam prevention and whether that approach is appropriate for the level of risk they face.
Importantly, what is considered reasonable is unlikely to remain static. As scam threats evolve, technologies improve and industry expectations change, organisations will be expected to adapt accordingly.
In practical terms, a reasonable programme is one that is appropriate for an organisation’s risk profile and capable of identifying, investigating, recording and responding to scam activity in a consistent and measurable way.
What Does a Reasonable Scam Prevention Programme Look Like?
While the SPF does not prescribe a specific set of controls, the draft Codes provide a clear indication of the areas organisations should be considering.
For many organisations, a reasonable scam prevention programme is likely to extend beyond policies and awareness training. It may also include processes for monitoring brand impersonation, identifying potential scam activity, investigating suspicious incidents, maintaining records and taking appropriate disruptive action when threats are identified.
The SPF’s brand impersonation obligations provide a useful example. Regulated entities are expected to monitor the internet for brand impersonation and promptly send takedown requests for impersonation websites. To do this effectively, organisations need processes that allow them to identify impersonation activity, assess the risk, gather evidence and coordinate response actions.
Similarly, the SPF’s Detect obligations require organisations to investigate actionable scam intelligence and maintain records of their findings. This requires more than simply receiving alerts. Organisations need a structured way to assess threats, document decisions and maintain an audit trail of investigations and actions taken.
The exact approach will differ from one organisation to another. However, the overall direction of the SPF is clear: organisations are expected to move beyond reactive scam handling and towards structured, repeatable and measurable scam prevention processes.
Preparing for the SPF
(The unphish platform combines monitoring, investigation, case management, reporting and enforcement workflows to help organisations build the structured scam disruption capabilities expected under the SPF.)
While the SPF’s obligations do not commence until 31 March 2027, organisations should not assume they have plenty of time.
Building a reasonable scam prevention programme is not something that happens overnight. It requires organisations to assess their current monitoring capabilities, investigation processes, record-keeping practices and response workflows against the expectations set out in the framework.
For many organisations, the most important takeaway is that scam prevention is no longer being treated as a reactive activity. The SPF signals a shift towards structured, measurable and continuously improving programmes that are capable of identifying, investigating and disrupting scam activity before consumer harm occurs.
This is exactly the challenge unphish was built to address. Through continuous monitoring, brand impersonation detection, threat intelligence, investigation workflows, case management and enforcement capabilities, unphish helps organisations move from reactive scam handling to a structured scam disruption programme aligned with the direction of the SPF.
For organisations looking to better understand the framework and its practical implications, we have produced a detailed guide for boards and executive leadership teams covering the obligations, affected sectors and what compliance may look like in practice.
Assess Your SPF Readiness with us
Complete the form below and one of our specialists will be in touch.