Australia’s Crackdown on Customer Fraud Losses: A Wake-Up Call for APAC

Let’s be honest – the burden of payment fraud has for years fallen squarely on the shoulders of scammed customers – A.K.A., victims. Reimbursement has largely been tactical; an opt-in gesture of goodwill administered on a case-by-case basis to customers who either make enough noise, or hold accounts banks can’t afford to lose.

If you’re familiar with the UK’s APP fraud reimbursement mandate, you’ll know that things are changing in a big way. Be in no doubt that this shift is neither temporary, trivial or localized – it’s a wake-up call for financial institutions the world over, and not least in.

Australia’s Incoming Reform: Scam Prevention Framework Bill 2024

In 2024, Australia’s federal government announced the Scams Prevention Framework Bill 2024, which includes provisions for regulated entities (banks, telcos, and digital platforms) to compensate victims if they fail to meet their obligations under the framework.

The government has made it clear: if platforms and financial institutions can profit from digital transactions, they can also be held accountable when those systems are exploited. While the bill was passed in February 2025, full implementation of the Scams Prevention Framework is expected by 2026

Let’s drill down.

What Those Impacted Need to Do

The new framework doesn’t just raise the bar—it codifies it. That said, it’s not a one-size-fits-all checklist—but it does lay out clear expectations.

Regulated entities, including banks, telcos, and digital platforms, will be expected to take “reasonable steps” to prevent, detect, disrupt, and respond to scams.

What qualifies as “reasonable”? That will vary—but examples may include:

• Scam detection systems that surface threats in real time or shortly after
• Customer warnings and intervention mechanisms that introduce friction when scams are suspected
• Robust device and identity checks tailored to the entity’s risk profile
• Monitoring and takedowns of impersonation attempts across digital and social channels
• Timely sharing of scam intelligence with the ACCC and other entities

It’s of little consolation that the framework recognizes the fact that obligations will differ by industry, size, and service model. Sector-specific codes are, allegedly, on the way—and with them, sharper definitions of accountability.

But, for now, the message is clear: if you’re not actively reducing scam risk, you’re not compliant.

Of the five bullet points above, Memcyco can tick-off the first four virtually overnight as the only solution in the market capable of identifying scam victims in real time. While real-time victim identification isn’t mandated, it’s a huge advantage for customer ATO prevention. 

APAC’s Turning Point—With One Notable Exception

With Australia moving toward mandatory scam loss reimbursement, and Singapore enforcing tighter obligations around digital fraud prevention, APAC is clearly entering a new phase of accountability. Financial institutions and digital platforms across the region are being called to the mat—not just to detect scams, but to prove they’re doing enough to prevent them.

New Zealand, however, has dodged the bullet—for now. Despite growing scam losses, banks there have openly stated they have no intention of reimbursing victims unless legally required. But with global momentum shifting and regulators watching their neighbors, this exemption may not last long.

What This Means for Brands Outside Finance

You might be thinking: “We’re not a bank, this doesn’t apply to us.” But you’d be wrong.

If you’re an eCommerce platform, a digital wallet provider, a crypto exchange, or any business that facilitates high-value transactions online—you are in the crosshairs. So are travel companies, airlines, subscription services, and even telecoms.

Because while today’s rules might target financial institutions, the definition of what qualifies as one is evolving. And if your brand is frequently impersonated in phishing campaigns that trick users into handing over payment info or login credentials, regulators could argue you haven’t done enough to stop it.

Accountability Is Now an Expectation

Whether it’s customer reimbursement, stronger KYC, takedown obligations, or mandatory reporting, businesses can no longer hide behind plausible deniability. Governments are shifting the burden of fraud prevention to the organizations best equipped to fight it—and that means real-time visibility and protection are no longer “nice to haves.”

Though these capabilities aren’t mandatory, those that acquire them will easily prove they’re taking not just “reasonable steps ”to prevent, detect, disrupt, and respond to scams”, but steps that go beyond the most basic measures. The rest will be treading on thin ice.

Here are the capabilities to aim for:

• When scammers attempt to impersonate digital content
• Exactly which customers click links to impersonating websites
• Protection of credentials even if customers enter them on fake login forms
• Advanced device fingerprinting for pre-emptive attack insight

That level of visibility only happens with active defense, not passive detection. Scanning for fake sites after they’re live is too late. Hoping customers recognize a scam is not a strategy. And paying reimbursements without fixing root causes only fuels more fraud.

The Bottom Line

Regulators have finally caught up to what customers already knew: they’re not at fault when sophisticated digital scams work. And now, financial institutions—and soon, businesses across all sectors—are being forced to internalize that truth.

The businesses that thrive in this new landscape will be those that build fraud prevention into their customer experience, not bolt it on after the damage is done.

Those who wait will find themselves not just paying the price—but also explaining to regulators why they didn’t see it coming.

Book a product tour to find out how, virtually overnight, Memcyco puts you on the front foot of ‘regulation readiness’ with pre-emptive, predictive and proactive capabilities for anticipating and dismantling impersonation and phishing scams in real-time. 

Julian Agudelo

Head of Content Marketing