Opinion

Combatting payment account fraud: Singapore's Shared Responsibility Framework

Published Date
Nov 14 2024
On October 24, 2024, the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) jointly announced the implementation of the Shared Responsibility Framework (SRF) in relation to phishing scams. The SRF will come into effect on December 16, 2024.

The MAS and IMDA jointly published a consultation paper on the proposed SRF in October 2023 (please see our blog post here for further information on this). The SRF, to be implemented via a set of Guidelines, seeks to enhance the accountability of financial institutions and telecommunication operators in protecting consumers from scam losses. The MAS and IMDA have now published a response to that consultation, and the feedback received has been instrumental in shaping the final SRF Guidelines.

On the same date, the MAS published its response to its consultation paper proposing measures intended to complement those that would be introduced through the SRF. The measures will, among other things, require financial institutions to put in place specified preventive, detective and remedial anti-scam measures. These mirror the duties in the SRF, but also impose duties that go beyond those set out in the SRF. The measures will be implemented via the revised E-payments User Protection Guidelines.

Scope of the SRF

In-scope persons

The SRF applies to all:

  • Full banks and relevant payment service providers (PSPs) that have issued a protected account and/or are e-wallet service providers holding a major payment institution licence (Responsible FIs); and 
  • Mobile network operators that provide cellular mobile telephone services (Responsible Telcos). 

There were calls to include more entities in the digital communications layer, such as messaging platforms and social media services, but the current scope remains focused on Responsible FIs and Responsible Telcos.

The MAS and IMDA have clarified that the SRF does not apply to corporate customers.

In-scope transactions

The SRF covers unauthorized payment transactions that meet the following criteria:

  • Digital nexus – Where a consumer is deceived into clicking on a phishing link and entering his/her credentials on a fake digital platform, thereby unknowingly revealing these credentials to the scammer. 
  • Territorial nexus – The impersonated entities are either Singapore-based or based overseas and offering their services to Singapore residents.

The SRF does not cover unauthorized payment transactions that do not meet the above criteria, such as those occurring as a result of the consumer having been deceived into giving away his/her credentials to the scammer directly via text messages, phone calls or face-to-face. The SRF also excludes other scam types like malware-enabled scams and authorized payment transactions resulting from scams (e.g., investment scams or love scams) where payments were intended by the victims to be performed at the point of transaction.

Core obligations under the SRF 

Under the SRF, each Responsible FI and Responsible Telco must abide by a defined set of core obligations to avoid being liable for the cost of the fraud to the victim:

Responsible FIs
  • 12-hour cooling off period: Upon activation of a user's digital security token or login to a protected account on a new device, high-risk activities such as adding new payees or changing contact information cannot be performed. 
  • Real-time notification alerts: Responsible FIs must provide real-time notification alerts for the activation of a digital security token or login to a protected account on a new device, and for the conduct of high-risk activities. 
  • Outgoing transaction notifications: Real-time notification alerts for all outgoing payment transactions made from the protected account. 
  • 24/7 reporting channel and kill switch: Responsible FIs must offer a 24/7 reporting channel and a self-service feature (a "kill switch") that consumers can self-activate to immediately block their account and prevent further unauthorized transactions. 
  • Fraud surveillance: In response to feedback, an additional duty requires Responsible FIs to implement real-time fraud surveillance directed at detecting unauthorized transactions in a phishing scam that results in an account being rapidly drained of a material sum to a scammer, and to block or hold such transactions until further verification from the consumer. 

The MAS will allow a 6-month transition period from the date of the SRF’s implementation for Responsible FIs to be held to the fraud surveillance duty, as this was not within the four Responsible FI duties originally consulted on, so this duty will take effect on June 16, 2025.

Responsible Telcos
  • Authorized aggregators: Responsible Telcos must connect only to authorized aggregators for the delivery of Sender ID SMSs to ensure these SMSs originate from bona fide senders registered with the SMS Sender ID Registry. 
  • Blocking unauthorized SMS: Responsible Telcos are required to block Sender ID SMSs which are not from authorized aggregators to prevent delivery of Sender ID SMSs originating from unauthorized SMS networks.
  • Anti-scam filter: An anti-scam filter must be implemented over all SMSs to block SMSs containing malicious URL in a designated database.

Waterfall reimbursement approach 

The SRF adopts a "waterfall approach" to determine which party is to bear the risk of loss arising from an in-scope unauthorized payment transaction:

  • The Responsible FI is first in line and is expected to compensate the victim for their entire loss if it has breached any of its obligations under the SRF. 
  • If the Responsible FI fulfills all of its obligations and the Responsible Telco is assessed to have breached any of its obligations under the SRF, the Responsible Telco is expected to bear the full loss and compensate the victim accordingly. 
  • If both the Responsible FI and the Responsible Telco have carried out their SRF obligations, the consumer bears the full loss under the SRF. However, consumers can still seek recourse through other channels like the Financial Industry Disputes Resolution Centre (FIDReC) or civil courts.

The MAS and IMDA have confirmed that they will not introduce any liability cap for losses.

Operational workflow for handling claims

The SRF sets out a four-stage operational workflow for handling claims:

  • Claim stage: The Responsible FI is the first and overall point of contact with the consumer. It will assess if the claim falls within the SRF's scope and inform the Responsible Telco where applicable. The consumer should report any unauthorized activity to the Responsible FI as soon as practicable, and no later than 30 calendar days from when the Responsible FI sends the notification alerts. The consumer should also provide a valid email address and any other supporting information, such as a police report and digital communication trail(s), within 3 calendar days from the date of notification to the Responsible FI.
  • Investigation stage: The Responsible FI and Responsible Telco (where applicable) will conduct the investigation concurrently and independently to determine whether each of them has fulfilled their obligations under the SRF. The Responsible FI and Responsible Telco should complete the investigation within 21 business days for straightforward cases or 45 business days for complex cases.
  • Outcome stage: The Responsible FI will inform the consumer of the investigation outcome and the assessment of the consumer's responsibility. The Responsible FI should seek acknowledgement from the consumer of the investigation outcome.
  • Recourse stage: Where a consumer is dissatisfied with the outcome, he or she may pursue further action through avenues of recourse such as the FIDReC or civil courts.

Enhancements to the E-payments User Protection Guidelines

The SRF will be complemented by the updated E-payments User Protection Guidelines (EUPG), which set out the expectations of the MAS of any Responsible FI that issues or operates a protected account, and of any user of protected accounts. The MAS will amend the EUPG to align with the SRF and to introduce additional duties for Responsible FIs and account users that go beyond the SRF. These include:

  • A Responsible FI should not send clickable links or phone numbers to retail consumers unless the consumer is expecting it, and if the link is purely informational. 
  • The requirement to implement a consumer’s additional confirmation and tailored risk warnings for consumers before they perform high-risk activities.
  • A new enhanced Responsible FI duty requiring Responsible FIs to have capabilities to detect and block suspicious transactions at all times. 

Like the SFR, the revised EUPG will take effect on December 16, 2024. That said, the MAS recognises that Responsible FIs will require some time to make operational arrangements for the new requirements of the EUPG not originally consulted on. In this regard, there will be a 6-month transition period for Responsible FIs to meet these additional requirements, including the duty to be able to detect and block suspicious transactions at all times, and these requirements will take effect on June 16, 2025.

Evolving approach to combat scams

The SRF is part of a broader effort by the Singapore Government to combat scams and enhance consumer protection. The Government continues to work closely with industry players to refine anti-scam measures and adapt to the evolving threat landscape. Public education remains a critical component of this strategy, with targeted programs for vulnerable groups like the elderly.

Acknowledgments to John Hobbs, trainee with A&O Shearman's Financial Services Regulatory team in London, for his contribution to this post.

 

Related capabilities