Under the plan, in-scope financial institutions, telecommunications operators and consumers would bear the loss arising from specified in-scope phishing scams. The consultation sought comments from industry stakeholders on key areas of the framework which will be implemented through a set of guidelines to be jointly issued by both bodies.
On the same date, the MAS published an additional consultation paper proposing measures intended to complement those that would be introduced through the SRF. The proposed measures would, among other things, require financial institutions to put in place specified preventive, detective and remedial anti-scam measures. These mirror the duties proposed in the SRF, but also impose duties that go beyond those set out in the SRF. The proposed measures will be implemented via amendments to the E-payments user protection guidelines (which were first introduced in 2018).
Both consultations closed on 20 December 2023, and industry is waiting for the Government’s response.
Scope of the SRF
i. In-scope persons
The SRF is expected to apply to (i) full banks and ‘relevant payment service providers’ (i.e. major payment institutions providing account issuance services where the payment accounts issued can store e-money) (Responsible Financial Institutions); and (ii) telecommunications operators who act as mobile network operators.
The SRF will apply only to in-scope fraud perpetrated against consumers, which are defined as Singapore residents that are offered a payment service.
ii. In-scope transactions
The SRF only covers unauthorized payment transactions (i.e. phishing) that meet the following criteria:
- Digital nexus – Where a consumer is deceived into clicking on a phishing link and entering his/her credentials on a fake digital platform, thereby unknowingly revealing these credentials to the scammer.
- Territorial nexus – The impersonated entities should be either Singapore-based or based overseas and offering their services to Singapore residents.
Phishing scams that do not meet the above criteria and other types of fraudulent unauthorized payment transactions are not covered by the SRF. For example, unauthorized payment transactions occurring as a result of the consumer having been deceived into giving away his/her credentials to the scammer directly via text messages, and non-digital means (i.e. phone calls or face-to-face) will not come under the SRF. Unauthorized payment transactions occurring from hacking or the installation of malware will also not come under the SRF.
The SRF does not apply to any authorized payment transactions (i.e. authorized push payments), even if these result from scams perpetrated on the victims. These would include, for example, payments arising from investment scams or love scams, where payments were intended by the victims to be performed at the point of transaction.
iii. Core obligations
The proposal introduces a framework in which each Responsible Financial Institution and telecommunications operator must abide by a defined set of core obligations to avoid being liable for the cost of the fraud to the victim.
The responsibilities of Responsible Financial Institutions are specified in the SRF to be the following:
- Impose a 12-hour cooling off period upon activation of a user’s “digital security token” during which ‘high-risk’ activities cannot be performed. A “digital security token” is an electronic means by which a user authenticates his/her identity for transactions and must be activated for a new device when first logging in to use online banking services on that device.
- Provide notification(s) on a real-time basis for the activation of a digital security token and conduct of high-risk activities.
- Provide outgoing transaction notifications on a real-time basis.
- Provide a (24/7) reporting channel and (a special) self-service feature (a “kill switch”) that consumers can self-activate to immediately block their account and prevent further unauthorized transactions.
The responsibilities of telecommunications operators are specified in the SRF to be the following:
- Connect only to authorized aggregators for the delivery of Sender ID SMSs to ensure these SMSs originate from bona fide senders registered with the SMS Sender ID Registry. The SMS Sender ID Registry is a registry maintained by a Government-linked company. Singapore requires business entities to register their SMS sender ID via which they send SMSs to their customers and this is to prevent third parties from spoofing the sender’s SMS sender IDs.
- Block sender ID SMSs which are not from authorized aggregators to prevent delivery of sender ID SMSs originating from unauthorized SMS networks.
- Implement an anti-scam filter over all SMSs to block SMSs with known phishing links.
iv. Waterfall reimbursement approach
The proposed SRF suggests a “‘waterfall approach”’ as to which party is to bear the risk of loss arising from an in-scope unauthorized payment transaction:
- The Responsible Financial Institution is placed first in line and is expected to compensate the victim for their entire loss if it has breached any of its duties as set out in the SRF.
- If the Responsible Financial Institution has fulfilled all of its duties and the telecommunications operator is assessed to have breached any of its duties as set out in the SRF, the telecommunications operator is expected to bear the full loss and compensate the victim accordingly.
- If both the Responsible Financial Institution and the telecommunications operator have carried out their SRF duties, the consumer bears the full loss under the SRF. However, consumers may still pursue further action through existing avenues of recourse if these are available (for example, making a claim via the courts or arbitration).
E-payments user protection guidelines
As noted, the MAS first issued the E-payments user protection guidelines (EUP guidelines) in 2018. These guidelines set out the MAS’ expectations as to the duties of financial institutions, account holders and account users for dealing with risk arising from the use of electronic methods to carry out payment transactions. The duties set out in the EUP guidelines are considered by the MAS in the course of its supervision of the conduct of financial institutions.
The core duties set out in the SFR are proposed to be mirrored it the EUP guidelines. In addition, the consultation on the EUP guidelines proposes additional duties on financial institutions that will not be part of the SRF but set out the MAS’ expectations in this area. The additional duties include the following:
- Clickable links or phone numbers should not be used in messages to retail customers.
- High-risk activities should require additional layers of authentication and verification before they can be executed.
- Notifications of transactions should be sent on a real-time basis.
- Consumers should be provided with a kill switch, which is a self-service option for the consumer to promptly block his/her account from digital access.
- When notifying of transactions or asking customers to authenticate transactions, customers should be given sufficient information to allow them to confirm the validity of the transactions.
- The financial institution should withhold and/or waive any outstanding amount and charges directly relating to a disputed transaction, during its investigation period.
The proposed amendments to the EUP guidelines also set out enhanced duties of customers. These include expectations that customers abide by good cyber hygiene practices, read pop-up risk warning messages and report unauthorized activities on their accounts in a timely fashion.
Next steps
Responses to the consultations are being reviewed by the Government, and we await its response.
Acknowledgments to Osama Shabaan, trainee with A&O Shearman's Financial Services Regulatory team in London, for his contribution to this post.