The SPF Definition Fight: What Counts as a Scam, and What Gets Carved Out

Every scam framework eventually runs into the same problem. Before obligations can be enforced, intelligence shared or liability assessed, someone has to decide what does and does not fall inside the perimeter. SPF is now moving into that definitional battleground.

June 5, 2026 | Cyberoo Research & Analysis Team

Click to view full size

Every framework eventually runs into the same problem. Before obligations can be enforced, intelligence shared, disruptive action justified or liability assessed, someone has to decide what falls inside the perimeter and what does not. SPF is now moving toward that point.

For much of the earlier discussion, it was possible to talk about scam prevention in broad and intuitive terms. But as the draft rules and consultation materials become more detailed, the underlying definitional question matters more. What exactly counts as a scam under SPF, and what conduct sits outside that perimeter even if it may still be harmful or unlawful in some other way?

The questions around scope — explored in our earlier piece on who is in and who is out under the digital platform threshold — are closely related to this definitional boundary. Scope tells you whether an entity is regulated. Definition tells you what activity is regulated. Both need to be answered clearly.

Why the definition matters more than many assume

It is tempting to treat the scam definition as a legal drafting detail that can be resolved later. That would be a mistake. Definition determines almost everything downstream in the SPF framework. It influences whether a signal becomes actionable scam intelligence, whether an activity is identified as a scam, what is recorded during investigation, what disruptive action is proportionate, how affected consumers are notified, and how later complaints are resolved.

If the perimeter is blurry, the whole operating model becomes harder to run consistently.

What the planned carve-outs suggest

The consultation guide indicates that the government intends to further refine the scam definition and that misleading or deceptive conduct by legitimate businesses and AFSL holders will be excluded from being a scam under SPF. The material also makes clear, however, that misleading or deceptive conduct will still be treated as a scam where a person impersonates a legitimate business or AFSL holder.

This is a very important distinction. It suggests SPF is not trying to absorb every kind of commercial misconduct or every dispute involving poor or misleading behaviour. Instead, it is trying to draw a more targeted perimeter around deceptive attempts that function as scams, while leaving some other forms of conduct to existing consumer law and financial services law.

Where the hard boundary cases will sit

The simplicity of that distinction will not eliminate the hard cases. In practice, the difficult edge cases are likely to sit where scam, mis-selling, misleading conduct, high-risk promotion and impersonation begin to overlap. A fake investment opportunity promoted through impersonation is relatively easy to place within SPF's logic. A misleading promotion by a real, licensed entity may be harmful, but Treasury is signalling that it would sit elsewhere in the legal landscape. Between those poles, however, there may be many operationally messy cases where frontline teams still need to decide how to classify and handle the activity in real time.

That is why definition is not only a policy matter. It is also a workflow matter. This is consistent with the earlier observation about brand impersonation — the line between genuine impersonation and borderline misleading conduct can be difficult to draw in live operations.

Why this becomes an operational challenge, not just a legal one

Most scam decisions are not made first in court. They are made in systems, case queues, investigations, moderation workflows, fraud operations teams and customer contact centres. That means the definition has to be usable in practice. A framework that is coherent in theory but hard to apply in live operations creates delay, inconsistency and over-escalation in some cases while producing under-response in others.

This is where explainable scam verification becomes especially important. The challenge is not only to reach a label. It is to show why that label is justified, what facts support it, and how that conclusion should influence the next operational step. Firms need a classification approach that is precise enough to support action, but not so brittle that every edge case becomes paralysing.

Why definition will shape evidence, complaints and liability

As SPF matures, the definitional boundary will matter even more because later complaint and liability stages will depend on it. If an activity is clearly within the scam perimeter, that shapes the investigation record, the explanation to consumers, and any later statement of compliance. If it is outside the scam perimeter, different legal and complaint pathways may become more relevant. If it sits in a grey area, the firm may face a much harder job in justifying its decisions, especially where the consumer has suffered loss and multiple entities are involved.

This connection between definition and evidence is why the evidence framework article in this series matters so much. And for organisations operating in multi-party environments where liability is contested, this definitional clarity will directly influence the IDR battleground. Definition is not only a legal question. It determines how activity is classified, disrupted, explained and disputed across the entire SPF response cycle.

Why this debate matters now

The definition fight matters because SPF is moving from broad architecture into practical application. At that stage, boundary questions stop being abstract. They begin to affect how quickly activity can be classified, how confidently action can be taken, and how defensible those decisions will be later. That is why the consultation's planned carve-outs deserve close attention. They are not just tidying language. They are helping determine the real perimeter of SPF intervention.

Brand impersonation and the speed of response both build on what counts as a scam at the definitional level.
The 28-day investigation window is only meaningful once the definition boundary tells frontline teams what they are actually investigating.

FAQ

Why does the SPF definition matter so much?

Because every later stage of the framework depends on it. If the perimeter is unclear, detection, disruption, reporting, complaints and liability all become harder to apply consistently.

What kind of carve-out is the consultation pointing toward?

The consultation material suggests that misleading or deceptive conduct by legitimate businesses and AFSL holders may be carved out from the SPF scam definition, while impersonation of those legitimate entities would still fall within the scam perimeter.

Why are edge cases such a big issue operationally?

Because firms do not handle scams only in court. They handle them in live workflows. If a boundary case cannot be classified clearly enough for action, delay and inconsistency become much more likely.

Does this only matter for lawyers and policymakers?

No. It matters for fraud teams, risk teams, platform trust and safety teams, telecom providers, complaints teams and anyone who has to make or explain a scam-related decision.

As SPF matures, one of the most important capability questions will be whether organisations can distinguish scam activity, impersonation, misleading conduct and other edge cases in a way that is both legally coherent and operationally usable.