SPF Is No Longer Just a Principles Framework — It Is Becoming an Evidence Framework

For a long time, SPF has been discussed mainly as a principles framework. That made sense in its early stages. The language of governance, prevention, detection, disruption and response was designed to establish a broad operating direction across regulated sectors. It told industry what kind of behaviour the system wanted, while leaving room for sector-specific obligations to evolve.

The latest draft rules suggest that this phase is changing. SPF is no longer only about whether an organisation says it has taken reasonable steps. It is increasingly about whether those steps can be described clearly, supported by facts, tied to process, signed off by the right person, and retained in a form that can later be scrutinised. That is a different kind of framework. It is closer to an evidence framework.

Why principles alone are not enough once complaints and liability begin

Principles matter because they set expectations. But principles do not resolve complaints on their own. They do not explain disputed facts. They do not tell a consumer what was investigated, what was found, what action was taken, and why a particular outcome was reached. They do not allocate responsibility between several entities involved in the same scam event.

Once SPF moves from high-level prevention into real-world complaint handling, redress and external review, organisations need something more structured than general compliance language. That is exactly what the new draft rules begin to construct. The strongest example is the statement of compliance.

Under the draft rules, this is not a generic complaint response. It is a structured output that must include each matter raised in the complaint, findings on material questions of fact, the information relied on, the process followed, the outcome, action or compensation provided, and, where relevant, information about another entity's conduct that affected or may have affected the outcome. That is not mere narrative. That is evidence architecture. And as noted in our earlier analysis, speed without records is not enough — structured evidence must accompany timely action.

What the draft rules reveal about SPF's next phase

Several parts of the draft rules point in the same direction.

Structured statement of compliance

The draft rules do not allow the statement of compliance to remain vague. They require it to explain: what the complaint raised; what facts were found; what information supported those findings; what process was followed; what outcome was reached; what action, compensation or remedy was provided; how compensation was apportioned, if relevant; and how the complainant can access EDR.

This matters because it shifts the burden of explanation onto the regulated entity. It is far more structured than many current scam complaint responses. It effectively creates a formal explanation duty — and will lead directly into the IDR battleground discussed in the next article in this series.

Authorised sign-off

The draft also requires the statement of compliance to be signed by a senior officer who, under the entity's governance policies and procedures, has oversight of matters relevant to the complaint. This is not a small detail. It suggests the statement is not intended to be treated as a casual case note or a low-level operational response. It sits closer to governed institutional accountability. The entity is not simply replying. It is standing behind the explanation it gives.

Timing and delay notice

The timing provisions reinforce the point. The draft rules generally require a statement of compliance to be given within 21 calendar days after the complaint is received. If the entity cannot reasonably comply, it must provide written notice explaining the delay and the complainant's EDR rights. There is also a short-form pathway for complaints resolved within 5 business days, but the complainant must still be told they may request a fuller statement. The framework wants speed where possible, and still wants traceable explanation even when speed is prioritised.

Record-keeping and retrievability

The SPF rules include requirements around records being retained for 6 years, and records must be kept in Australia or in a way that allows electronic access from Australia. That is important because evidence is not only about the moment of response. It is also about later reconstruction. This is why explainable scam verification is becoming more than a product feature — it is increasingly part of the infrastructure required to make SPF work in practice.

Why evidence quality will shape scam response outcomes

Once SPF starts requiring this level of structured explanation, evidence quality begins to influence multiple stages of the scam-response lifecycle. It shapes verification, disruption, consumer communication, and liability and redress. This is one reason the next SPF challenge is not simply detection quality. It is evidence quality.

In practice, many organisations will need to ask a harder question than they have so far. Not: “Can we identify suspicious activity?” But: “Can we produce evidence outputs that remain usable across detection, disruption, customer communication, complaint handling and possible external review?” That is a much higher bar.

The same is true for closed-loop scam response. A response loop is not truly closed if the evidence generated in one part of the workflow cannot support the next part of the workflow. That is what the draft rules are quietly pushing the market toward.

FAQ