‘Likely SCAM': Australia to strictly regulate SMS sender IDs this year

TLDR

The ACMA is consulting on the new SMS Sender ID Register and associated Draft Telecommunications (SMS Sender ID Register) Industry Standard 2025. Together, these changes will introduce major changes to the use of Sender IDs in Australia, including:

• preventing carriers and carriage service providers who are not 'registered' from sending SMS/MMS that use Sender IDs (including international carriers and carriage service providers)
• requiring that any SMS/MMS sent using an unregistered Sender ID is 'over-stamped' with the words 'Likely SCAM', and
• preventing overseas entities who cannot register on the SMS Sender ID Register from sending SMS/MMS that use Sender IDs. 

Public submissions close on 28 April 2025.

What is happening?

As part of the Australian government’s initiatives to reduce harm caused by scams, in 2024 the government announced that it would establish a mandatory SMS Sender ID Register to protect Australians from scam SMS/MMS messages, and enacted legislation intended to achieve that objective focusing on regulating the alphanumeric sender ID/message headers that appear at the top of SMS/MMS messages (Sender ID).The Australian Communications and Media Authority (ACMA) is required under the Telecommunications Act 1997 (Cth) (Telecommunications Act) to establish the SMS Sender ID register as soon as possible. The first major milestone for the ACMA is the registration of a standard (by 30 June 2025) for the Australian telecommunications industry to give effect to the SMS Sender ID Register.[1]

On 27 March 2025, the ACMA opened a public consultation on its proposed approach to the SMS Sender ID Register including the Draft Telecommunications (SMS Sender ID Register) Industry Standard 2025 (Draft Standard).

The Draft Standard would apply to carriers and carriage service providers who send, transmit or terminate SMS/MMS that are sent to a mobile number issued in Australia and contain a Sender ID ('regulated telcos').  Its key requirements are that it:

• prohibits regulated telcos from sending, transiting or terminating SMS/MMS that use Sender ID unless they are registered with the ACMA;
• requires (registered) originating and terminating regulated telcos to 'disrupt' SMS/MMS that do not have a registered Sender ID. A message will (at least initially) be disrupted by 'over-stamping' the Sender ID with 'Likely SCAM'. The ACMA has indicated they will revisit 'over-stamping' after 12 months of operation and may consider implementing another measure such as blocking all messages with unregistered Sender IDs;
• requires (registered) originating regulated telcos to proactively initiate the registration of their customers on the SMS Sender ID Registry before 15 December 2025;
• requires (registered) originating regulated telcos to traceback the use of registered Sender IDs in scam communications; and
• imposes a proactive reporting obligation on all (registered) regulated telcos in the event of an actual, or suspected, breach of the security of its IT systems and processes related to sending Sender ID messages and interacting with the SMS register.

The obligations do not extend to messages sent without Sender IDs or messages sent from Australian entities to international mobile numbers, including international mobile numbers roaming in Australia. Further, a regulated telco may transit a Sender ID message to an Australian mobile number if that number is connected with an international roaming service, so such messages that are sent to Australians roaming overseas (such as a message from an airline that a flight departing an airport located outside Australia is ready for boarding) will not be required by Australian law to be blocked by a regulated telco.

I am not a carrier or CSP – will this affect me?

Yes. These changes will impact all business who use Sender IDs as the SMS Sender ID Registry is grounded in two core concepts:

• telcos must register to send, transit or terminate SMS/MMS messages that include a Sender ID to an Australian mobile number; and
• entities who send SMS/MMS using a Sender ID who fail to register that Sender ID will have their SMS/MMS over-stamped with 'Likely SCAM' which will practically impact how individuals interact with those SMS/MMS.

The logic of the regime is outlined below:

Australia really is an island continent – the impact on overseas entities

The ACMA has proposed that international entities (including companies and telcos) must have a ‘registered Australian business presence’ to participate in the Register (ie they must have an ABN). If implemented as proposed, this would mean that:

• Australian telcos would be unable to transit or terminate SMS/MMS with a Sender ID from an overseas based telco that is not registered with ACMA; and
• (even where the overseas based telco is registered on the Sender ID Register) the recipients of SMS/MMS from overseas entities who use Sender ID would see the Sender ID over-stamped with 'Likely SCAM'.

For a country with a significant migrant population (almost 700,000 migrants arrived in 2024) and with many Australians acquiring services from overseas entities, this will have a major impact on a large number of Australians. The impact will be most pointed for those with international bank accounts or who are required to interact with overseas government agencies (especially where those banks or government agencies utilise SMS messages with a Sender ID as a method of multi-factor authentication). For example the ACMA calls out the following examples from the UK Government service portal and the Bank of Ireland as messages that will be affected (image from the ACMA’s Consultation Paper):

The ACMA has justified the proposed position on the basis that the risks are significantly higher if international entities are allowed to participate and it will be difficult to implement adequate safeguards (eg 'the ACMA would be unable to readily verify the legitimacy of international entity documents (such as company registrations)'). However – administrative difficulty should not be the sole reason for excluding overseas entities and international telcos. This is a key area to watch and, if you are impacted, to submit feedback to the ACMA by the 28 April 2025.  Governments of Australia’s strategic allies like the ‘Five Eyes’ countries may not appreciate their legitimate messages being identified as a 'Likely SCAM' as a result of the operation of an Australian law!

Other impacts

In addition to the exclusion of overseas entities, the Draft Standard raises a number of other issues and burdens that will impact regulated telcos and Australian companies. These include:

• requiring telcos to 'register' with the ACMA. Whilst a telco may wish to apply for registration in its capacity as a company that sends sender identification messages (e.g. to identify itself as ‘Telstra’, ‘TPG’, ‘Optus’ or ‘Vodafone’ when sending messages by SMS to its customers), requiring telcos to register in order to carry SMS/MMS with Sender IDs is not contemplated by Part 24B of the Telecommunications Act and effectively introduces a version of the 'registration' requirement for carriage service providers that was proposed in the Telecommunications Amendment (Enhancing Consumer Safeguards) Bill 2025 which has lapsed;
• prohibiting transiting regulated telcos (ie carriers and CSPs that transit sender ID messages between two other telcos) from accepting Sender ID messages from, and sending them to, non-participating telcos (unless the recipient is using an international mobile roaming service). With the Draft Standards imposing obligations on both the originating and terminating telco it is difficult to understand the justification for imposing blocking obligations on a transiting regulated telco–and raises the risks that legitimate SMS/MMS will not be received;
• entities looking to register a Sender ID must have a 'valid use case' for the Sender ID. The ACMA has indicated that this requires evidence that the Sender ID is directly associated with the entity. The ACMA can be expected to automate the decision-making process associated with approval of Sender IDs, which may result in rigid rules that prevent entities that operate a multi-brand strategy from registering as many Sender IDs as they would wish – this could affect governments as well as businesses (consider, for example, the number of differently branded government agencies that are all part of the Crown in right of a particular jurisdiction);
• requiring originating regulated telcos to initiate processes for their customers to register on the SMS Sender ID Register. It is proposed that these obligations commence on 1 October 2025 and entities must be registered by 15 December 2025 to avoid over-stamping. Notably – these processes place the burden on the originating regulated telcos to verify that their customers have a valid use case for a Sender ID; and
• requiring (registered) regulated telcos to report, and conduct tracebacks, on scam communications using a registered Sender ID. As acknowledged by the ACMA, this will overlap with existing obligations under the Reducing Scams Code (although the ACMA has indicated that the Reducing Scams Code will be amended).

In addition to the above issues, there are also questions as to the interaction of the Draft Standard with the new Scams Prevention Framework (SPF), as previously covered in this KWM Insight. The SPF, which passed through Parliament in February this year as the Scams Prevention Framework Act 2025 (Cth) amending the Competition and Consumer Act 2010 (Cth), imposes obligations on businesses to protect consumers from scams. Once it is been 'turned-on' for telcos, this means where a telco that fails to fulfil its obligation to identify or over-stamp an unregistered sender ID under the SMS Sender ID Regime will be highly likely to breach its SPF obligation to take reasonable steps to detect and prevent scams related to, connected with or using its services.[2] On this basis, a breach of the Draft Standard would expose regulated telcos to adverse financial consequences under both the:

• Telecommunications Act - currently breaches of industry standards are civil penalty provisions with maximum penalties of up to $250,000 per contravention (though higher penalties were proposed in the Telecommunications Amendment (Enhancing Consumer Safeguards) Bill 2025 which has lapsed); and
• SPF where a breach of a ‘tier 1 civil penalty provision’ has a maximum penalty of the greater of 159,745 penalty units (over A$50 million), three times the benefit gained from the conduct and potentially 30% of turnover. Further, a breach by a telco of its SPF obligation exposes the telco to a claim for damages suffered by the recipient of a message that should have been over-stamped or blocked (see new s58FZC of the Competition and Consumer Act 2010 (Cth), introduced by the Scams Prevention Framework Act 2025 (Cth)).

Conclusion

While the ACMA’s proposal aims to protect consumers and industry from the harms of spoofing SMS scams, the regulator’s Draft Standard and consultation paper raise significant questions about the practical effects of the regime on telcos and entities. KWM would be happy to assist you in preparing a submission to the consultation and advising on what this regime means for your business.