Banks, telcos and scam victims to share liability for losses under new framework to kick in on Dec 16
Banks will have an additional responsibility to perform real-time fraud surveillance "directed at detecting unauthorised transactions in a phishing scam that result in account draining", the authorities announced.
by Tang See Kit · CNA · JoinSINGAPORE: A framework that prescribes how losses arising from phishing scams will be shared among financial institutions, telecommunication companies and consumers is set to kick in on Dec 16.
Making the announcement on Thursday (Oct 24), the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) also introduced an additional requirement for financial institutions to perform real-time fraud surveillance to “detect if a customer’s account is being rapidly drained of a material sum” due to a phishing scam.
Last October, the authorities put out a long-awaited consultation paper which proposed that financial institutions and telcos that were negligent bear the responsibility of phishing scam losses ahead of victims.
The paper set out a list of “discrete and well-defined duties” for these companies, making them liable to pay if they have fallen short of their responsibilities. These include failure by banks to send outgoing transaction alerts to consumers and telcos failing to implement a scam filter for SMSes.
As a start, the framework proposed focusing on phishing scams which account “for a sizeable proportion of unauthorised transactions” in Singapore.
The consultation exercise ended last December, with the authorities receiving 72 responses from businesses and the public.
“Overall, respondents welcomed the (shared responsibility framework) and supported the efforts to better protect consumers,” MAS and IMDA said.
At a glance: What the shared responsibility framework for phishing scams entails
The framework will apply to financial institutions – all full banks and relevant payment service providers – and telcos. Their responsibilities are laid out below.
Financial institutions must:
- Impose a 12-hour cooling off period upon activation of digital security tokens, during which high-risk activities cannot be carried out. Such activities include the addition of new payees, increasing transaction limits and disabling transaction notification alerts
- Provide real-time notification alerts for the activation of digital security tokens or conducting of high-risk activities
- Provide real-time outgoing transaction notifications
- Provide a 24/7 reporting channel and a self-service feature for consumers to report and block unauthorised access to their accounts
- Put in place real-time fraud surveillance directed at detecting unauthorised transactions in a phishing scam that results in an account being rapidly drained of a material sum to a scammer
Telcos must:
- Connect only to authorised aggregators for the delivery of Sender ID SMSes to ensure that subscribers only receive SMSes from bona fide senders registered with the SMS Sender ID Registry
- Block Sender ID SMSes that are not from authorised aggregators
- Implement an anti-scam filter over all SMSes to block those containing malicious URLs in designated database
A “waterfall” approach for the sharing of responsibility for scam losses:
- Financial institutions will be first in line to bear the full losses incurred if the required duties are breached
- Telcos stand second in line – meaning that if the financial institution has fulfilled all its required duties and the telco is assessed to have breached its duties, the telco will be expected to bear the full losses
- If both the financial institution and telco have carried out their necessary duties, the consumer would then bear the full losses
ADDITIONAL DUTY ON BANKS TO DO FRAUD SURVEILLANCE
One common feedback was that financial institutions and telcos should be required to implement more robust controls or a wider range of security measures.
Specifically for banks, several members of the public proposed an additional responsibility of fraud surveillance and detection – to which MAS said it agreed and will be requiring banks to do so.
“A key objective here is to strengthen (financial institutions’) fraud surveillance controls to substantially reduce cases of customers having material sums being rapidly wiped out from their accounts without their knowledge – such cases are of greatest concern to MAS,” according to the authorities’ response to the consultation paper.
For example, if a customer’s account is being rapidly drained of a material sum by a scammer, the financial institution must either block the transaction until it is able to reach the customer or send a notification to the customer while blocking or holding the transaction for 24 hours.
An account would be considered as rapidly drained of a material sum if it had an account balance of S$50,000 or more immediately prior to the unauthorised transaction, and if more than half of that account balance was transferred out within the last 24 hours.
As this additional duty on fraud surveillance was not among those in the consultation paper, MAS said it will allow banks a six-month transition period from the roll-out of the framework.
Authorities also noted that with the step-up in anti-scam security controls, consumers “must expect some added friction in their payment transactions”.
There were also calls for more scam variants, such as malware-enabled scams, to be covered under the framework.
In response, the authorities said they would maintain the current focus on a “defined scope of phishing scams where the corresponding duties for financial institutions and telcos can be clearly set out”.
They added that the government will continue to work with banks and others in the ecosystem to put in place measures to mitigate the risk of other scams, including by “holding ecosystem players accountable where necessary”.
“While this is being worked out, banks have taken a more forward-leaning approach towards assessing goodwill payments for customers affected by malware scams,” they said.
On calls for the framework to include more entities such as messaging platforms and social media platforms, MAS and IMDA maintained the focus on banks and telcos given the influence and responsibilities that these entities have over the security of digital banking and SMS channels.
But the government takes on “a whole ecosystem approach” in combatting scams, such as urging social media firms to do more to fight scams.
The Online Criminal Harms Act also allows the government to issue directions to online service providers, entities or individuals to disable access to online criminal content or accounts, including scams, they added.
The shared-responsibility framework “will operate as part of the broader suite of upstream and downstream” anti-scam measures taken on by the government and businesses, the authorities said.
The MAS, for instance, is studying the feasibility of “stronger, out-of-band authentication solutions”, such as the use of Fast IDentity Online (FIDO)-compliant tokens to enhance defences against unauthorised phishing transactions.
IMDA said it has and will continue to work closely with the telcos. Measures such as the mandatory SMS Sender ID Registry and anti-scam filter have resulted in over 20 million SMSes being blocked since 2023.
Following the announcement, M1, Singtel, StarHub and SIMBA said in a joint statement that they have implemented the required duties set out under the framework, alongside other scam prevention measures like stringent SIM card registration requirements.
In line with the new framework, the respective mobile network operators “will review the eligibility of claims made, with consideration of fair recourse”, they said.
The Association of Banks in Singapore (ABS) said its member banks are “committed to upholding the principles of the framework”.
It is also supportive of the new prescribed duty for banks to perform fraud surveillance on phishing scams, although that may introduce some “friction” for consumers.
“At times, legitimate transactions may be put on hold or blocked while financial institutions attempt to contact their customers to verify the transactions,” said ABS director Ong-Ang Ai Boon.
“We seek customers’ understanding, as the industry continues to enhance and adapt its fraud surveillance over time to uphold banking security without overly compromising on a seamless banking experience.”
Sign up for our newsletters
Get our pick of top stories and thought-provoking articles in your inbox
Get the CNA app
Stay updated with notifications for breaking news and our best stories
Get WhatsApp alerts
Join our channel for the top reads for the day on your preferred chat app