The Real Battleground of SPF May Be IDR, Not Detection

Most SPF discussion still centres on prevention, detection and disruption. The latest rules and policy papers suggest the most consequential pressure point may sit elsewhere: internal dispute resolution, liability and multi-party complaint handling.

June 1, 2026 | Cyberoo Research & Analysis Team

Click to view full size

Most discussion around SPF focuses on prevention, detection and disruption. That is understandable. These are the visible parts of the framework. They align with the public story of stopping scams earlier, reducing harm faster and pushing regulated sectors to act more decisively.

But the newest draft rules and policy material point to another pressure point that may ultimately prove just as important: internal dispute resolution. That is where many of the hardest questions will land. Not only whether a scam was detected or a warning sent, but who was responsible for what, what facts are agreed, what evidence supports those facts, how should the complaint be resolved, how should liability be apportioned between entities, and what should the consumer actually be told and paid.

For context on how this complexity arises, see What the Scams Prevention Framework Means for Banks and Financial Institutions, which explains the multi-sector accountability structure that makes IDR so challenging.

Why scam complaints are different from ordinary disputes

Treasury's IDR position paper says this directly. A single scam complaint may involve several regulated entities across different sectors, each of which may have played a role at different stages of the scam. That creates a level of complexity not typically present in existing IDR frameworks, which are generally designed to assess disputes involving a single entity.

A scam complaint can involve:

a bank through which money moved
a digital platform through which advertising or contact occurred
a telecommunications provider through which calls or messages were delivered
several attempts at warning, verification or disruption
conflicting views on who could realistically have prevented the loss
questions about whether the consumer should have been contacted earlier
questions about whether warnings were timely, clear or specific enough

That means SPF complaints are not just larger versions of normal disputes. They are different in shape.

What the draft rules and position paper are quietly building

The draft rules and position paper together suggest that SPF is not only building a prevention framework. It is building a new complaint-handling model for scam events that are cross-sector, evidence-heavy and potentially multi-party.

Cooperation between multiple regulated entities

The IDR position paper says entities will be required to cooperate at the IDR stage, and that this is intended to ensure all entities engage constructively, share relevant information where appropriate, and support timely complaint resolution. It also notes industry interest in a centralised IDR model for multi-entity scam complaints. This is a significant departure from business-as-usual complaint handling.

Statement of compliance as a structured explanation duty

The statement of compliance is central here. Under the draft rules, it must include each matter raised in the complaint, findings on material questions of fact, information relied on, the process followed, the outcome, any action taken or compensation given, apportionment details, and where relevant, information about another entity's conduct that affected or may have affected the outcome. This is far more structured than many current scam complaint responses. It effectively creates a formal explanation duty.

As established in our earlier analysis, the structured explanation duty sits within SPF's broader shift toward an evidence framework. IDR is where that evidence framework is most likely to be tested in practice.

Proportionate handling for low-value and high-value complaints

The IDR position paper also makes clear that complaint handling is intended to be proportionate to the value and complexity of the loss. Lower-value complaints may be handled through more streamlined processes, while higher-value or more complex matters will require more detailed investigation. This is sensible in theory, but proportionality requires operational design. It does not happen by itself.

Why reimbursement and apportionment will matter more than many expect

The policy direction around reimbursement and liability is especially important. Treasury's IDR paper signals an intention for lower-value scam losses to be handled efficiently and proportionately, including discussion of automatic reimbursement for lower-value verified scam losses. It also indicates a policy direction under which, where several regulated entities have each breached SPF obligations, liability may be shared equally unless there is a reason to depart from that position.

This changes the commercial meaning of SPF. The framework is no longer only about whether an entity has controls in place. It is also about how the consequences of failures will be examined and distributed once a complaint is made. That creates a different set of incentives: entities will care more about proving what they did, evidence gaps will become more costly, inter-entity coordination failures will become more visible, and complaint handling will matter more strategically, not just operationally.

Why this is really an operating model change

The temptation is to treat all of this as something for legal and complaints teams. That would be a mistake. If SPF complaint handling becomes more multi-party, evidence-driven and liability-sensitive, then the whole scam response operating model has to change with it. That includes how scam reports are received, how suspicious activity is verified, how evidence is recorded, how actions are documented, how affected consumers are identified and notified, how internal teams hand matters across, and how positions are formed for later customer communication.

SPF is not only building a scam-prevention framework. It is building a complaint-resolution environment in which sloppy workflows, weak evidence and fragmented handling will become much harder to hide. That is the deeper point. And for the full picture of where this series began, see our earlier piece on how brand impersonation often sits at the start of the scam chain — the compliance journey that ends in IDR frequently begins there.

For organisations that need to understand how to build coordinated response capability, closed-loop scam response provides the operational model that connects the front-end and back-end of SPF obligations.

FAQ

Why would IDR matter more than detection?

Because detection alone does not resolve complaints, allocate liability or explain outcomes. SPF increasingly requires structured response once a consumer dispute arises.

Why are SPF complaints more complex than ordinary complaints?

Because a single scam event may involve several entities across different sectors, each contributing in different ways to prevention, detection, disruption or failure.

What makes the statement of compliance so important?

It turns the complaint response into a structured explanation of facts, process, reasoning, remedy and, where relevant, the role of other entities.

Why does this matter operationally?

Because firms will need a stronger internal model for evidence, coordination and resolution, not just for initial detection.

For many organisations, SPF readiness may be tested not only by how well scams are detected, but by whether complaints, facts, evidence and liability can be handled coherently once several entities are involved.