Why 28 Days Still Feels Too Slow in a Scam That Can Scale in Hours

A scam can scale in hours. A regulation can be drafted around weeks. That tension sits at the heart of one of the most important practical questions in the new SPF environment.

Under the SPF framework, regulated entities that have actionable scam intelligence about an activity must investigate whether the relevant activity is a scam within a 28-day framework. The draft codes also make clear that once intelligence becomes actionable, entities are expected to identify whether the activity is a scam, record relevant investigation information, identify affected SPF consumers, notify them, and in many cases undertake risk assessment to inform disruptive action.

Legally, that structure is understandable. Operationally, it still feels slow. The real question is not whether 28 days is too long in the abstract. The real question is what organisations are expected to do in the first hours and days after intelligence becomes actionable, while uncertainty still exists and harm may already be spreading.

Why the 28-day investigation framework exists

A framework like this exists for good reason. Not every suspicious activity is a scam. Not every reported signal is reliable. Not every risky-looking payment, communication or online interaction will ultimately justify a strong disruptive response. If the law forced immediate certainty in all cases, it could create different harms, including over-blocking, over-removal and unfair treatment of legitimate activity.

The SPF structure therefore reflects two realities at once. The first is that regulated entities need a formal investigative framework. The second is that they may still need to act before full certainty is reached. That is why the draft codes do not simply say “investigate within 28 days” and stop there. They also add a wider set of duties around evidence, identification, consumer notification and disruption.

Why it still feels too slow in practice

The operational discomfort comes from the way scam harm actually behaves.

• A fake page can be shared widely within hours.
• An impersonation campaign can move across domains in a day.
• A malicious ad can drive a large number of clicks quickly.
• A spoofed call campaign can reach thousands of consumers in a short window.
• A mule or beneficiary account can receive payments before a slower review process catches up.

In those conditions, the outer legal investigation window is rarely the decisive issue. The decisive issue is what happens in the first 24 to 48 hours. Can the activity be verified quickly enough to support cautionary action? Can affected consumers be identified early enough? Can meaningful warnings be issued? Can suspicious infrastructure be disrupted before the campaign replenishes?

What entities are expected to do before certainty is complete

The draft codes suggest that SPF is not waiting until the end of an investigation for everything meaningful to begin. Several obligations are pulled much earlier into the lifecycle.

Identify whether an activity is a scam

The draft code requires a regulated entity that has actionable scam intelligence to identify whether or not the activity is a scam. That means the organisation needs a real method for turning suspicious signals into defensible classification — structured assessment logic, corroboration, pattern recognition and staff who know what a usable scam determination looks like.

Record investigation information

The draft also requires relevant information about the investigation to be recorded, including whether the activity was identified as a scam, the method used to initiate contact with SPF consumers, and, if identified as a scam, the type of scam and the identifiers used such as URLs, email addresses, phone numbers and social media profiles. A suspicion may trigger action, but a regulated response will increasingly require recorded reasoning with implications for explainability, auditability and later dispute resolution.

Identify affected SPF consumers

The draft requires reasonable systems and processes to identify SPF consumers who have, or may have, been affected by the activity. That means organisations cannot frame scam detection only as “can we spot the bad thing?” They also need to ask: “Can we work out who may already be exposed?”

Notify affected SPF consumers

The draft then requires entities to take reasonable steps to notify SPF consumers who have, or may have, been affected by the activity. The notification must be given as soon as practicable, be relevant and proportionate to the risk, and where possible explain why the entity suspects the consumer is or may be affected. A notification that is accurate but too late may satisfy neither the spirit nor the operational purpose of scam prevention.

Why the real challenge is the first 24 to 48 hours

The SPF debate often drifts into the outer legal timeframe because that is easy to point to. But in live scam operations, the more important question is usually: what can an organisation do before certainty is complete, but after the risk is already real?

The draft framework points to an answer. A regulated entity is expected to:

• recognise when intelligence becomes actionable
• investigate
• identify and record
• identify affected consumers
• notify them
• assess risk for disruptive action

That means the practical centre of SPF readiness is not the 28th day. It is the organisation's ability to move intelligently on Day 1. This is where fast verification becomes important, where explainable reasoning becomes important, and where proportionate disruption capability becomes important. Without those capabilities, the outer legal timeframe becomes a poor shield against fast-moving harm.

What this means for regulated entities in practice

The firms that respond best under SPF are unlikely to be the ones that simply build a compliance timetable. They are more likely to be the ones that build a faster decision-making stack. That stack usually needs:

• a way to intake suspicious signals quickly
• a way to verify them in a structured and explainable way
• a way to identify related infrastructure or activity
• a way to assess the likely consumer harm
• a way to trigger proportionate warnings or disruptive action early
• a way to retain the evidence needed later

The issue is not only whether a scam exists. The issue is whether the organisation can know enough, early enough, to do something proportionate before losses multiply. That is the true time challenge of SPF.

FAQ