Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
SINGAPORE: A framework that prescribes how losses arising from phishing scams will be shared among financial institutions, telecommunication companies and consumers is set to kick in on Dec 16.
Making the announcement on Thursday (Oct 24), the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) also introduced an additional requirement for financial institutions to perform real-time fraud surveillance to “detect if a customer’s account is being rapidly drained of a material sum” due to a phishing scam.
Last October, the authorities put out a long-awaited consultation paper which proposed that financial institutions and telcos that were negligent bear the responsibility of phishing scam losses ahead of victims.
The paper set out a list of “discrete and well-defined duties” for these companies, making them liable to pay if they have fallen short of their responsibilities. These include failure by banks to send outgoing transaction alerts to consumers and telcos failing to implement a scam filter for SMSes.
As a start, the framework proposed focusing on phishing scams which account “for a sizeable proportion of unauthorised transactions” in Singapore.
The consultation exercise ended last December, with the authorities receiving 72 responses from businesses and the public.
“Overall, respondents welcomed the (shared responsibility framework) and supported the efforts to better protect consumers,” MAS and IMDA said.
The framework will apply to financial institutions – all full banks and relevant payment service providers – and telcos. Their responsibilities are laid out below.
Financial institutions must:
Telcos must:
A “waterfall” approach for the sharing of responsibility for scam losses:
One common feedback was that financial institutions and telcos should be required to implement more robust controls or a wider range of security measures.
Specifically for banks, several members of the public proposed an additional responsibility of fraud surveillance and detection – to which MAS said it agreed and will be requiring banks to do so.
“A key objective here is to strengthen (financial institutions’) fraud surveillance controls to substantially reduce cases of customers having material sums being rapidly wiped out from their accounts without their knowledge – such cases are of greatest concern to MAS,” according to the authorities’ response to the consultation paper.
For example, if a customer’s account is being rapidly drained of a material sum by a scammer, the financial institution must either block the transaction until it is able to reach the customer or send a notification to the customer while blocking or holding the transaction for 24 hours.
An account would be considered as rapidly drained of a material sum if it had an account balance of S$50,000 or more immediately prior to the unauthorised transaction, and if more than half of that account balance was transferred out within the last 24 hours.
As this additional duty on fraud surveillance was not among those in the consultation paper, MAS said it will allow banks a six-month transition period from the roll-out of the framework.
Authorities also noted that with the step-up in anti-scam security controls, consumers “must expect some added friction in their payment transactions”.
There were also calls for more scam variants, such as malware-enabled scams, to be covered under the framework.
In response, the authorities said they would maintain the current focus on a “defined scope of phishing scams where the corresponding duties for financial institutions and telcos can be clearly set out”.
They added that the government will continue to work with banks and others in the ecosystem to put in place measures to mitigate the risk of other scams, including by “holding ecosystem players accountable where necessary”.
“While this is being worked out, banks have taken a more forward-leaning approach towards assessing goodwill payments for customers affected by malware scams,” they said.
On calls for the framework to include more entities such as messaging platforms and social media platforms, MAS and IMDA maintained the focus on banks and telcos given the influence and responsibilities that these entities have over the security of digital banking and SMS channels.
But the government takes on “a whole ecosystem approach” in combatting scams, such as urging social media firms to do more to fight scams.
The Online Criminal Harms Act also allows the government to issue directions to online service providers, entities or individuals to disable access to online criminal content or accounts, including scams, they added.
The shared-responsibility framework “will operate as part of the broader suite of upstream and downstream” anti-scam measures taken on by the government and businesses, the authorities said.
The MAS, for instance, is studying the feasibility of “stronger, out-of-band authentication solutions”, such as the use of Fast IDentity Online (FIDO)-compliant tokens to enhance defences against unauthorised phishing transactions.
IMDA said it has and will continue to work closely with the telcos. Measures such as the mandatory SMS Sender ID Registry and anti-scam filter have resulted in over 20 million SMSes being blocked since 2023.
Following the announcement, M1, Singtel, StarHub and SIMBA said in a joint statement that they have implemented the required duties set out under the framework, alongside other scam prevention measures like stringent SIM card registration requirements.
In line with the new framework, the respective mobile network operators “will review the eligibility of claims made, with consideration of fair recourse”, they said.
The Association of Banks in Singapore (ABS) said its member banks are “committed to upholding the principles of the framework”.
It is also supportive of the new prescribed duty for banks to perform fraud surveillance on phishing scams, although that may introduce some “friction” for consumers.
“At times, legitimate transactions may be put on hold or blocked while financial institutions attempt to contact their customers to verify the transactions,” said ABS director Ong-Ang Ai Boon.
“We seek customers’ understanding, as the industry continues to enhance and adapt its fraud surveillance over time to uphold banking security without overly compromising on a seamless banking experience.”