Financial institutions and telecommunication companies in Singapore found to have breached their responsibilities may have to compensate customers who have fallen prey to scams, a long-awaited consultation paper by the authorities proposed.
Published on Oct. 25, the paper by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) acknowledged that “responsibility for preventing scams should not lie solely with consumers but also with industry stakeholders”, such as the financial institutions and telcos.
It also provided proposals on how losses suffered will be shared between companies and consumers, where the determination of responsibility will be based on a “waterfall approach”.
This means that financial institutions, followed by telcos, are expected to bear the full loss if they fail to discharge their respective duties.
However, the consumer will have to bear the full loss if both the financial institution and telco are found to have carried out their duties.
Framework first announced in Feb. 2022
The shared responsibility framework was first announced in February 2022.
It came after some 800 OCBC customers lost a combined S$13.7 million to scammers.
Back then, the proposed framework was said to focus on phishing scams as they accounted “for a sizeable proportion of unauthorised transactions” in Singapore.
Failure by banks to send outgoing transaction alerts to consumers and telcos failing to implement a scam filter for SMSes are considered responsibilities that ought to be undertaken by businesses.
The MAS initially said in early 2022 it would publish a draft framework for public consultation in the following three months.
But the process has taken “longer than expected” due to the complexity of the issues involved, the financial regulator subsequently said.
The proposed framework is targeted to be rolled out in 2024.
No framework to be directly accountable
Currently, financial institutions and telcos are answerable to regulators if they fail to implement anti-scam measures.
There is no framework for them to be "directly accountable to consumers" in the event of lapses that lead to users of such services suffering losses, the paper said.
If the businesses fail to meet prescribed anti-scam duties, they “should bear responsibility for scam loss ahead of consumers”, which is the government’s expectation as stated in the loss-sharing and reimbursement framework, spelling out what shared responsibility entails.
Singapore is the first country in the world to include telcos under a framework.
Focus on scams with Singapore nexus
The consultation paper said the proposed framework will focus on phishing scams with a “clear Singapore nexus” as a start.
Such scams are defined as victims being conned into clicking on a phishing link and giving up their credentials on a fraudulent digital platform, and involve Singapore-based impersonated entities, or overseas entities that have services that Singapore residents use.
This covers a scam perpetuated by a scammer who pretends to be from a legitimate entity, such as SingPost.
The scammer then tricks victims into clicking on links in spoofed SMSes or emails, and entering their account details on the fraudulent platform, which is usually a website.
What framework doesn't cover
The framework does not cover investment or love scams, where payments to scammers are authorised by the victims.
Also not covered are cases where consumers were deceived into giving away their credentials directly to the scammers via text messages and non-digital means.
Malware scams are not included for now, even though such cases are on the rise recently.
Waterfall approach
The framework sets out “discrete and well-defined” anti-scam duties and controls for financial institutions and telcos.
A breach of any of its duties will render the financial institution liable for full compensation as they are first in line given their primary accountability to consumers as custodians of their money.
Next in line are the telcos, given their “secondary and supporting role” as infrastructure provider for the delivery of SMS.
The telco will be expected to bear the full losses incurred in the event that a financial institution is deemed to have fulfilled its duties but the telco has failed.
Here are the duties of banks and relevant payment service providers:
- Impose a 12-hour cooling-off period upon activation of digital token; during which, high-risk activities cannot be carried out
- Send notification alerts on a real-time basis for activation of digital token and conduct of high-risk activities
- Provide outgoing transaction notifications on a real-time basis
- Provide a 24/7 reporting channel and a self-service feature for consumers to promptly block online payment transfers from their accounts
Here are the duties of telcos:
- Connect only to authorised aggregators for delivery of Sender ID SMS to ensure that these SMS originate from bona fide senders registered with the SMS Sender ID Registry regime
- Block Sender ID SMS from unauthorised aggregators to prevent delivery of Sender ID SMS originating from unauthorised SMS networks
- Implement an anti-scam filter over all SMS to block SMS with known phishing links
Top photo via Unsplash