Banks to have real-time fraud detection from mid-2025 under new scam prevention framework
Source: Straits Times
Article Date: 25 Oct 2024
Author: Osmond Chia
The framework, proposed in 2023, sets out the responsibilities of financial institutions and telecommunications companies to both prevent phishing scams and provide reasonable avenues of recourse for scam victims.
Financial institutions here will have to implement real-time fraud detection to identify unauthorised transactions linked to phishing scams, and block transactions where a customer’s account is being quickly drained.
In such a scenario, the financial institution will either have to block the move until it is able to confirm the transaction with the customer, or notify the customer and hold the transaction for at least 24 hours.
This is a key recommendation that will be added to the upcoming Shared Responsibility Framework (SRF) due to be implemented on Dec 16, following a two-month public consultation that ended in December 2023.
Implementing fraud surveillance measures is a key area of feedback, while the Monetary Authority of Singapore (MAS) said cases of customers having significant sums rapidly wiped out from their accounts without their knowledge are its “greatest concern”.
The framework, proposed in 2023, sets out the responsibilities of financial institutions and telecommunications companies to both prevent phishing scams and provide reasonable avenues of recourse for scam victims.
Of the 72 responses received in the public consultation by MAS and the Infocomm Media Development Authority (IMDA), roughly half were from members of the public, and the rest from telcos and financial institutions.
“Overall, respondents welcomed the Shared Responsibility Framework and supported the efforts to better protect consumers,” the two authorities said.
The regulators retained the list of duties for the institutions in the original 2023 proposal, but expanded the responsibility for financial institutions to implement systems to scan for fraud.
Among the measures proposed earlier, banks must implement a 12-hour cooling-off period for activating digital security tokens and provide real-time alerts for high-risk activities, while telcos must restrict SMS transmissions to approved registries for messages bearing a sender ID.
In what they call the “waterfall” approach, the authorities will first assess banks’ liability in the event of a scam, followed by telecommunications companies’. If both the bank and the telco have met their responsibilities, the customer will be responsible for the financial loss.
Fraud surveillance
In the consultation, respondents sought more robust measures to strengthen security standards of digital banking and the telco infrastructure.
Some argued that it is reasonable to expect banks to be able to detect and block unusual or large transactions – a view supported by the regulators.
Financial institutions will have up to mid-2025 to implement new fraud surveillance measures.
These include real-time fraud surveillance systems that block unauthorised transactions.
Banks must detect when large sums – more than half of a balance of at least $50,000 – are rapidly drained from an account over a day.
Such transactions must be blocked until the bank confirms the transaction with the customer, or the bank must send a notification to the customer and hold the transaction for at least 24 hours.
Fail to do so, and the bank will be required to pay the victim in full, said IMDA and MAS.
“This is in recognition of the severe impact on scam victims if their accounts are drained without their knowledge,” said the regulators.
Notifications
On how users should be notified, MAS said it will not standardise a mode of notification, given concerns from financial institutions that not all customers have valid phone numbers or e-mail addresses when they open an account, and not all are mobile app users.
“It would therefore be more practical to require financial institutions to send the notification alerts through the mode that is already familiar to their existing customer, or one that the consumer had explicitly opted for,” said the regulators.
Remove URLs from SMS
Responding to a suggestion to remove URLs from SMS messages by default, IMDA said local banks are phasing out clickable links in SMS in a move to enhance digital banking security.
Government agencies that send clickable links in SMS will ensure that the URLs end with “.gov.sg”, it added.
“The Government will study the use of URLs in other sectors and work with sector partners to make adjustments if necessary,” said IMDA.
Protection for vulnerable groups, expand accountability
Another key area of feedback is to tighten security efforts for vulnerable groups, such as the elderly, by providing higher levels of protection.
The regulators said that the best defence is a vigilant public, and said they conduct public awareness campaigns for users across many groups, including the elderly.
Respondents also called for social media and messaging platforms to share responsibility under the framework as many scams are conducted on these channels.
MAS and IMDA said they will continue to study the appropriate measures to push other industry players to implement anti-scam measures.
They noted that most payout frameworks globally usually cover only banks, and including telcos in the SRF already holds more stakeholders responsible.
They added that the authorities have other ways to take action against scam content, including the Online Criminal Harms Act, which allows the Government to order companies to block content involved in scams from reaching Singapore users.
Source: Straits Times © SPH Media Limited. Permission required for reproduction.
1398