FINTECH
ACMA’s SMS Rules Are a Start — But They Are Not Enough to Protect Consumers

ACMA’s SMS Rules Are a Start — But They Are Not Enough to Protect Consumers

Having spent much of my career working across the telecommunications and fintech industries, I've seen firsthand how trusted communication channels can be exploited by bad actors.

I've also seen how difficult it can be for consumers to distinguish between legitimate communications and increasingly sophisticated scams.

That's why I had mixed feelings when I read about ACMA's new SMS Sender ID Register.

On one hand, I welcome any effort that makes it harder for scammers to impersonate legitimate organisations. SMS sender verification is a sensible step and should help reduce some forms of fraud.

On the other hand, my immediate reaction was simple: why has it taken so long?

The telecommunications industry has understood the risks associated with sender spoofing for many years. Financial institutions have spent years educating customers about SMS scams. Consumers have lost significant amounts of money to fraudsters pretending to be trusted brands.

So while I welcome the new rules, I don't see them as a major win for consumer protection. From my perspective, they represent a delayed response to a problem that has been obvious for a very long time.

More importantly, I believe Australia has an opportunity to go much further.

This Protection Could Have Been Introduced Years Ago

One of the first thoughts I had when reading about the new rules was that the underlying concept isn't particularly new.

If an organisation wants to send messages using a branded sender name, it should have to prove that it owns or controls that identity. That seems like common sense.

The industry has known for years that sender spoofing creates opportunities for fraud. Regulators have known it. Telecommunications providers have known it. Banks have known it.

Yet consumers have continued receiving fraudulent messages pretending to be legitimate organisations.

From my perspective, the most disappointing aspect of this announcement is not what it introduces, but how long it has taken to arrive.

Consumers have been carrying the risk while industry and regulators slowly worked towards a solution.

I Believe Australia Needs a Commercial SMS Register

If I were designing this framework from the ground up, I would go much further than simply registering branded sender IDs.

I believe every organisation sending commercial SMS messages to Australians should be required to register on a government-managed commercial SMS register.

Whether the message is marketing, customer communication, appointment reminders or promotional activity, the sender should be identifiable and accountable.

If a business wants access to one of the most personal communication channels available, consumers should be able to have confidence that the sender is legitimate.

In my view, registration should be a prerequisite for participation, not an optional layer of verification.

Telcos Should Play a Bigger Role

One of the things I've learned throughout my time in telecommunications is that network operators are often in the best position to prevent problems before they reach consumers.

That's why I believe telecommunications providers should play a much larger role in protecting consumers from SMS scams.

A commercial SMS register should not simply exist as a database that organisations sign up to.

It should be actively used by telecommunications providers to identify and filter commercial messaging traffic.

If a commercial sender is not registered, I believe their messages should be blocked, quarantined or clearly flagged before they are delivered.

Consumers should not be expected to identify every scam message themselves.

The system should be designed to stop as many harmful messages as possible before they ever arrive on a consumer's device.

International Marketers Should Follow The Same Rules

One weakness I see in many regulatory frameworks is that they place obligations on local businesses while offshore organisations continue operating with limited oversight.

If an overseas company wants to send commercial SMS messages to Australian consumers, I believe they should be subject to exactly the same registration requirements as Australian businesses.

Consumers don't care where a message originated.

What matters is whether the sender is legitimate and accountable.

If an organisation is targeting Australian consumers, it should be required to comply with Australian standards regardless of where it is based.

Accountability Is One Of The Biggest Benefits

Another reason I support a broader registration framework is accountability.

When a campaign breaches regulations, misrepresents a business, ignores consent requirements or causes consumer harm, regulators should be able to quickly identify who was responsible.

That includes:

  • The organisation that authorised the campaign.

  • The organisation that sent the campaign.

  • The messaging provider involved.

  • The telecommunications providers carrying the traffic.

In my experience, accountability is one of the strongest deterrents available.

People and organisations tend to behave differently when they know responsibility can be traced directly back to them.

Banks Should Stop Sending Links By SMS

There is one area where I hold an even stronger view.

I don't believe banks and financial institutions should send clickable web links in SMS messages at all.

Instead, banking messages should be plain text only.

If a customer needs to review information or take action, the message should instruct them to open their banking application or log directly into their online banking platform.

The reason is simple.

For years, consumers have been told not to click links in suspicious messages. At the same time, legitimate banks continue sending links by SMS.

That creates confusion.

It trains customers to trust links delivered through a channel that scammers actively target.

Imagine if every Australian bank adopted a simple policy:

"We never send links by SMS."

Consumers would quickly learn that any banking message containing a link should immediately be treated as suspicious.

In my opinion, that single change would significantly reduce the effectiveness of many banking-related SMS scams.

My Final Thoughts

I welcome ACMA's Sender ID Register.

It is undoubtedly better than doing nothing.

However, I don't believe it should be viewed as the finish line.

Based on my experience in telecommunications and fintech, I believe Australia should be aiming for a much stronger framework that focuses on prevention rather than detection.

That means mandatory registration of commercial SMS senders, active filtering by telecommunications providers, equal obligations for international marketers, stronger accountability mechanisms and clearer communication standards for financial institutions.

The objective shouldn't be helping consumers identify scams after they receive them.

The objective should be stopping as many scam messages as possible from reaching consumers in the first place.

That is the standard I believe consumers deserve.