Financial institutions, telcos to be accountable to scam victims; new framework kicks in on Dec 16

Banks must block or hold for 24 hours suspicious transactions involving more than $25,000.

This move must be part of banks’ real-time fraud surveillance to substantially reduce cases of customers having large sums of money rapidly drained from their accounts without their knowledge, the Monetary Authority of Singapore (MAS) announced on Oct 24.

An account is considered to be rapidly drained if more than half of a balance of at least $50,000 is transferred out cumulatively over a day.

It is among newly announced measures to counter phishing scams that could undermine confidence in Singapore’s digital banking and payment systems.

This was spelt out under the finalised Shared Responsibility Framework (SRF) for phishing scams, unveiled on Oct 24.

The SRF complements existing moves that have been made to counter scams. For instance, major retail banks have been restricting access to their apps if customers have downloaded apps from untrustworthy installers or apps with risky permission settings, to counter malware-related scams.

Banks have six months from Dec 16, the date the SRF kicks in, to implement the new measure.

The finalised SRF governs how financial institutions and telcos may have to share in paying out to victims their losses in certain phishing scams if these organisations fail to perform their duties.

It aims to save consumers hassle when they are seeking reimbursement. Currently, the onus is on them to provide proof that their losses were not due to their own negligence.

Overall, banks have to fulfil five key duties, and telcos three key ones, under the SRF. If these organisations do what is necessary under the framework, consumers will bear the full losses.

“With the addition of a new fraud surveillance duty, some retail customers may experience more inconvenience when conducting larger-value transactions,” said Ms Ho Hern Shin, deputy managing director for financial supervision at MAS.

“This additional friction is necessary to protect customers against large unauthorised transactions.”

The finalised SRF comes after two months of industry consultation at the end of 2023 and almost a year of deliberation by MAS and the Infocomm Media Development Authority (IMDA).

It is not meant to be a catch-all fraud reimbursement framework. For instance, it does not offer coverage in the case of payments arising from investment or love scams, or fraudulent transactions due to hacking, identity theft or the downloading of malware. 

The scope of the SRF is confined to phishing scams conducted on a digital platform, such as a fake website accessed through a link, where victims are tricked into entering their account details. Organisations that get impersonated must either be based in Singapore or have already offered services to Singapore residents.

This, for instance, includes cases where a fraudster pretends to be from a legitimate entity such as Singapore Post or DHL and sends e-mails or SMSes claiming account-related issues, to trick victims into clicking on a link to a fake website to enter their account details. Also included are cases where a scammer claims to be from a financial institution offering deals like high interest rates on fixed deposits and free mobile phones, to trick victims into clicking on a link to a fake website to enter account credentials.

The SRF establishes the process for determining payouts arising from scam losses – by first examining whether financial services providers and telcos have fulfilled their duties. Singapore is possibly the first jurisdiction to include telcos in a fraud reimbursement framework. 

MAS and IMDA said banks and payment services providers are custodians of consumer funds and play a critical role as gatekeepers against money being misappropriated by scammers, while telcos are the infrastructure providers for SMS texts often used by banks to communicate with consumers.

First in line to be examined are banks, such as DBS Bank, UOB, OCBC Bank and Citibank, and payment services providers that offer e-wallets, such as Grab, YouTrip and Revolut. If they fail in any of their duties, they will be fully liable for the losses.

Banks’ other duties include imposing a 12-hour cooling-off period to prevent large sums from being transferred from an account to a third party if a scammer has phished a person’s credentials and activated a digital security token. The 12-hour cooling-off will also apply to logins to an e-wallet such as Grab on a new device.

Banks and payment services providers are also expected to send real-time alerts to consumers for high-risk activities – including change of account contact details, increase in transaction limits and adding a new payee – or when there is a login to an e-wallet on a new device.

Next to be examined are the four local telcos – Singtel, StarHub, M1 and Simba Telecom – if banks have fulfilled all their duties. Telcos will need to bear the full loss amount if they fail to fulfil any of their duties.

Telcos are expected to reduce the risk of scam SMSes being sent to consumers by running an anti-scam filter on their networks and blocking those with known phishing links under the SRF. Also, telcos can deliver such SMSes to subscribers only if they originate from an authorised SMS aggregator, which acts for a business that wants to send bulk SMSes. A failure to carry out any of these measures may make them liable for losses.

But if the telcos, too, carry out their duties properly, they will not be required to reimburse phishing victims. Consumers in such cases will have to bear the full loss. They can take action by lodging a complaint at the Financial Industry Disputes Resolution Centre.

Scam victims lost a record high of more than $385.6 million in the first six months of 2024, due largely to e-commerce, job and phishing fraud. If the trend continues, scam losses could exceed $770 million by the end of 2024. The annual record stands at $660.7 million lost in 2022.

Losses due to phishing scams alone totalled $13.3 million in the first six months of 2024, up from $7.3 million in the same period a year ago.

Ms Aileen Chia, IMDA deputy chief executive (connectivity, development and regulation), said the authority has worked closely with the telcos to secure the SMS channel, an official channel adopted by banks for digital banking.

The SMS Sender ID Registry and anti-scam filters have resulted in over 20 million SMSes blocked since 2023, she added.

The registry is aimed at countering SMS spoofing by scammers who lure their victims by using fake SMS sender names in their messages.

All four telcos said in a joint statement on Oct 24 that they have already fulfilled the duties set out in the SRF. They have also complied with other scam prevention measures such as those that govern SIM card registration and letting subscribers block international calls and SMS.

“Beyond the SRF, banks also have their respective discretionary goodwill frameworks, to support scam victims,” said Mrs Ong-Ang Ai Boon, director of the Association of Banks in Singapore.

“Such discretionary reimbursements will be considered on a case-by-case basis, taking into account the overall circumstances of each case,” she added, noting that factors considered include the sophistication of scams and victims’ financial situation. “In cases where the scam was completely outside the customer’s control or responsibility, banks would consider making goodwill payments up to the full amount of the loss.”

To tighten the reins on phishing scams, MAS is also studying stronger authentication solutions, such as the use of Fast IDentity Online-compliant tokens that will work only if they are in close proximity to the device used to perform a transaction. 

Countries like Australia have also considered similar shared loss schemes as a result of scams. The European Commission has proposed a “refund” to victims of certain types of fraud, while Britain is planning to enforce mandatory reimbursement by banks to scam victims of up to £1 million (S$1.7 million) – with the sending and receiving banks sharing the bill. 

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

Banks to have real-time fraud detection from mid-2025 under new scam prevention framework ADV: Criminal Justice Forum (29 Oct)