.svg)
Singapore’s deputy prime minister has been probed on issues such as credit card fraud, customer data misuse and joint account protocols in the latest spate of questions from the country’s lawmakers.
The city-state recorded an average of 790 credit card fraud cases annually between 2021 and 2023, amounting to an average yearly loss of $2.1m, according to Gan Kim Yong, the deputy prime minister and Monetary Authority of Singapore (MAS) chair.
Gan was addressing a question from Desmond Choo, a member of parliament for the ruling Workers Party, about the prevalence of credit card fraud and measures to combat it.
In his response, the minister acknowledged that “safeguards against credit card fraud put in place by global card schemes such as those operated by Visa and Mastercard, and card issuers such as banks, have strengthened over time”.
One such measure is the 3-D Secure (3DS) protocol used by card schemes such as Visa and Mastercard, a system that requires an additional layer of authentication beyond static card details, making it significantly harder for unauthorised transactions to proceed.
Local payment service providers have also enhanced their fraud detection mechanisms with real-time monitoring, alerting customers immediately when potentially fraudulent activity is detected.
In addition, payment service providers (PSPs) are shifting from SMS one-time passwords (OTPs) to push notifications via banking apps, which offer stronger protection against phishing.
When asked whether Singapore would adopt a framework akin to the recently established Shared Responsibility Framework (SRF) to address credit card fraud, the minister declined.
“The Shared Responsibility Framework is not suitable in the context of credit card fraud. There are already well-established rules protecting credit card holders, and limiting their liability in the event of fraud.”
For example, under the Associated Banks of Singapore code of practice, credit cards, consumers’ liability for unauthorised transactions is capped at $100, provided they are not grossly negligent and report the fraud promptly.
However, situations where a cardholder unknowingly authenticates a fraudulent 3DS transaction would likely constitute negligence and void this cap.
In addition, the chargeback mechanism allows cardholders to dispute unauthorised charges and seek refunds, especially when merchants fail to implement the 3DS protocol.
Data protection
As well as tackling credit card fraud, parliamentarians also addressed concerns over the misuse of bank customers' personal data, particularly National Registration Identity Card (NRIC) numbers.
Responding to questions from MPs Don Wee and Rachel Ong, the minister stated that “the Association of Banks in Singapore has recently assured consumer banking customers that NRIC numbers alone cannot be used to effect payment and fund transfers”.
“Banks are also conducting a thorough review of their practices on the use of NRIC numbers to confirm that their practices are in line with the prevailing Personal Data Protection Commission’s Advisory Guidelines on NRIC,” he said.
Meanwhile, the minister pointed to the country’s Ministry of Digital Development and Information, which has announced updates to these guidelines following public consultations.
“MAS will work with financial institutions to align practices where needed when the revised guidelines are issued,” he said.
He added that PSPs operating in the country are also enhancing customer education on cybersecurity and identity theft prevention, while revising account authentication measures to go beyond traditional identifiers such as NRIC numbers, phone numbers and full names.
The issue of joint bank account closures following the death of a co-account holder was also discussed by the lawmakers, and in response to a question from representative Hazel Poa, the minister clarified that the MAS does not mandate the closure of joint accounts upon the death of one holder.
Poa had asked whether the regulator “has any directives or regulatory requirements that compel banks to close joint accounts upon being notified of the death of a joint account holder”.
The minister was clear that PSPs may allow surviving account holders to retain and use the account or assist them in withdrawing or transferring funds if closure is required.
He also confirmed that the MAS is working with the financial industry to streamline post-death estate settlement processes and harmonise practices for the benefit of customers, particularly the elderly.
Customer protection seemingly a priority
Like their counterparts in jurisdictions such as the UK, EU and Australia, lawmakers in Singapore are seemingly becoming more concerned about customer protections for online payers, as evidenced by the queries about credit card fraud and customer data misuse.
This shows that the rapid switch to online banking and payments, especially after the COVID-19 pandemic, is increasingly seeping into the political discourse.
A significant focus with this is digital transformation, as the government and financial institutions shift from traditional identifiers, such as NRIC numbers, to more secure, technology-driven solutions such as push notifications and multi-factor authentication, which have already become widely used in regions such as Europe.
Regulatory alignment in the city-state also appears to have become a priority for Singapore, with efforts underway to update guidelines and ensure compliance with evolving legal and industry standards.
This approach addresses the challenges posed by technological advancements and new threats in the financial landscape, while the government also appears to be working on more simplified processes in the banking sector.
Harmonising practices for handling joint accounts after the death of a co-holder, for example, reflects a commitment to making financial services more accessible and less burdensome, particularly for elderly individuals and other vulnerable groups.
As a result of these priorities, PSPs and credit card companies may end up facing increased compliance costs as they adapt to evolving compliance requirements.
This includes implementing enhanced authentication protocols, echoing those expected of firms in the EU and the UK with strong customer authentication (SCA) and aligning data protection practices with the updated guidelines from the Personal Data Protection Commission (PDPC).
The demand for innovation is intensifying, with companies expected to adopt robust security measures such as 3DS, as well and move away from SMS OTPs, and investment to ensure that the technology is in place to create a frictionless but also secure process.
Operational adjustments will also be necessary as companies respond to shifts such as reduced reliance on NRIC numbers and simplified processes for post-death account management.
These changes will require updates to account verification systems and improvements in customer service so that a smooth transition is ensured.
