Reform at a glance

From 12 March 2026, the Australian Financial Complaints Authority (AFCA) will significantly expand its jurisdiction to allow it to consider scam-related complaints involving receiving banks and the unauthorised opening of accounts or credit facilities, including circumstances where the affected consumer or small business is not a customer of the bank concerned. The changes represent a material shift in Australia’s external dispute resolution framework, extending potential exposure beyond the victim’s bank and reinforcing expectations that responsibility for scam prevention, detection and redress is shared across the financial services ecosystem. The reforms also sit alongside the commencement of the Scams Prevention Framework from 1 July 2026, which will introduce additional obligations across the financial services sector and further elevate expectations on governance, accountability and end-to-end control effectiveness. In doing so, the reforms signal heightened scrutiny of banks’ governance, systems and controls across the full lifecycle of scam activity, from account opening through to the movement and recovery of funds. Set out below are key regulatory watchpoints arising from these developments.

What this means for your business

Set out below are key regulatory watchpoints arising from these developments.

1. Complaints against receiving banks
   From 12 March 2026, AFCA will be able to consider complaints directly against receiving banks where scam funds are received, moved or dispersed, regardless of whether the complainant is a customer. This expands AFCA’s ability to assess whether receiving banks acted reasonably once scam funds entered their systems.
2. Increased focus on mule accounts in external dispute resolution
   AFCA’s expanded jurisdiction brings mule accounts squarely into scope for external dispute resolution. AFCA will examine how effectively receiving banks identify and respond to accounts used to facilitate scam activity, including the timeliness and appropriateness of interventions.
3. Unauthorised opening of accounts and credit facilities
   AFCA will be able to consider complaints where accounts or credit facilities have been opened without a person’s consent or authority. This enables scrutiny of onboarding and identity verification practices, even where there is no customer relationship.
4. Assessment of conduct across the scam payment chain
   AFCA will be able to look beyond the victim’s bank to examine conduct across the full flow of scam funds, including information-sharing between institutions and decisions relating to recovery and remediation where multiple banks are involved.
5. Complaints from non-customers and IDR coordination
   Banks will need to respond to AFCA complaints from individuals and small businesses with no direct customer relationship. AFCA is likely to assess the consistency, coordination and evidentiary basis of IDR responses where more than one bank is involved in a scam.
6. Governance and accountability for AFCA outcomes
   AFCA’s expanded role will increase focus on whether governance, decision-making and escalation arrangements support timely, fair and well-evidenced outcomes in AFCA scam-related complaints.

Key dates and status

• Stage: Reform passed / Implementation imminent
  Target Date: 12 March 2026: AFCA's expanded jurisdiction commences, enabling it to consider scam-related complaints involving receiving banks and the unauthorised opening of accounts or credit facilities, including where the affected consumer or small business is not a customer of the bank concerned.
• 1 July 2026: Scams Prevention Framework commences, introducing additional obligations across the financial services sector and further elevating expectations on governance, accountability and end-to-end control effectiveness.
• Next Milestone: Organisations should complete readiness assessments and IDR framework reviews ahead of 12 March 2026 to ensure compliance with AFCA's expanded jurisdiction from the commencement date.

Our perspective

AFCA has rightfully described its expanded jurisdiction as a critical interim step toward a system-wide approach to consumer protection. The changes are in line with broader regulatory change regarding scams and place the emphasis on banks to ensure their strategy and approach to managing scams is robust, consumer focussed and well governed.

Bringing receiving banks into AFCA's remit prior to it being able to receive complaints under the SPF, which is expected from 1 January 2027, demonstrates Government and regulator commitment to ensuring all banks involved in the flow of scam funds are accountable for consumer protection.

When apportioning compensation across multiple organisations AFCA is likely to focus on whether banks can show they have acted in a timely and reasonable manner once scam funds have entered their systems and have in place customer onboarding and identity verification controls that are in line with good industry practices.

The changes further reinforce the importance of identifying and closing mules’ accounts to prevent scam funds being successfully moved through the system. Rather than just responding to red flags identified in relation to new account openings or in response to notifications about suspected scam activity from other financial institutions, Banks should be looking more systematically to identify existing mule accounts through analytical models leveraging customer and behavioural biometric intelligence and proactively blocking them as a preventative tool to protect consumers who may have had accounts opened or credit taken out in their name without their knowledge.

What you should do now

Against the backdrop of AFCA’s expanded jurisdiction and heightened scrutiny of scam-related outcomes, boards and management should consider whether existing frameworks, controls and governance arrangements are fit for purpose in an external dispute resolution context:

1. Have we mapped scam-related incidents, complaints and losses across the end-to-end scam journey, including points where we act as a receiving bank?
2. Do our transaction monitoring and fraud controls adequately identify and respond to suspicious activity where we act as a receiving bank?
3. Are onboarding and credit approval processes sufficiently robust to prevent unauthorised accounts or facilities being opened using compromised identity information?
4. Are internal dispute resolution frameworks, policies and systems capable of handling complaints from non-customers under AFCA’s expanded jurisdiction?
5. Do investigation, escalation and decision-making processes support defensible outcomes in cross-bank scam complaints?
6. Are governance, accountabilities and reporting arrangements clear for managing scam risk and regulatory engagement across the organisation?
7. Are all actions taken as a receiving bank adequately documented and easy to evidence?

How we can help

Our Risk and Regulatory consulting team is led by seven partners with a combined 13 decades of expertise in governance, risk and compliance advisory, anti-money laundering, fraud and forensics. The team specialises in supporting the financial services sector and they often work for leading banks, insurers and superannuation funds. We advise across the risk and regulatory continuum, including designing risk, governance and compliance frameworks, investigating issues and incidents, reviewing processes and controls, responding to regulatory inquiries and conducting remediation programs.

The team often works with MinterEllison's legal specialists to provide end-to-end solutions to our clients’ most complex business problems, navigate fast-evolving stakeholders’ expectations and implement critical industry and regulatory change.