.svg)
Financial institutions (FIs) and telcos in Singapore will soon be subject to new rules that will make them “directly accountable” for losses incurred by victims of certain phishing scams.
Last week, regulators in Singapore announced that a new Shared Responsibility Framework (SRF) for phishing scams will come into effect on December 16, 2024.
Led by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority of Singapore (IMDA), the SRF sets out expectations for phishing scam prevention across the financial and telecom sectors.
It also sets out reimbursement requirements in cases where a customer is scammed due to the failure of either an FI or a telco to uphold its obligations under the SRF.
The SRF is designed to cover phishing scams with a digital nexus, where a consumer is deceived into clicking on a phishing link and entering their credentials into a fake digital platform.
In such attacks, the scammer then uses the stolen credentials to make unauthorised transactions from the consumer’s account, potentially draining it of all funds.
The SRF excludes scams in which the victim is tricked into authorising a payment to the scammer, such as investment and romance scams.
It also excludes scams where the victim is tricked into giving their credentials to a scammer by non-digital means, such as by phone call or face-to-face.
“This takes into account years of public education to sensitise consumers to the fact that they should never reveal their credentials or one-time passwords directly to anyone under any circumstances,” said the MAS.
Who is in scope?
Under the SRF, in-scope FIs include not only banks but also payment service providers (PSPs) that offer e-money or e-wallet services directly to retail customers.
In previous materials, the MAS said the aim of the SRF is to ensure that all “custodians of consumers’ money” fall under the regulation.
FIs have “primary responsibility” to safeguard consumersʼ accounts, said the MAS, and to act as “gatekeepers” against outflow of funds following a scam.
Telcos, meanwhile, are designated for their role in providing supporting infrastructure for FIs to communicate with customers.
FIs use SMS not only as an official communications channel, but also as a channel for sending authorisation codes to customers, making it a prime target for scammers.
Under the SRF, in-scope telcos are limited to Singapore’s four mobile network operators (MNOs), namely SingTel Mobile, M1, StarHub and SIMBA Telecom.
Scam-fighting measures
The SRF outlines four “duties” that FIs must uphold in order not to be liable for consumer losses to phishing scams.
The first duty is that FIs must impose a 12-hour “cooling-off period” if a customer account is logged into from a new device.
During the cooling-off period, no high-risk activities, such as the setting up of new payees or raising of transaction limits, may be performed.
The second duty is that FIs must send notifications to consumers in real time whenever a high-risk activity takes place on their account.
Combined with the first duty, this is expected to prompt consumers to act immediately if an unauthorised activity takes place on their account.
The third duty requires FIs to send real-time notifications to consumers of all outgoing transactions.
And the fourth duty requires FIs to provide a 24/7 reporting channel and self-service “kill switch” to report and block unauthorised access to their accounts.
Real-time fraud surveillance
In a joint statement, the MAS and IDMA said that there will be one new addition to the SRF that was not included in the consultation last year.
Under this additional rule, FIs must implement real-time fraud surveillance for detecting unauthorised transactions from phishing scams that could result in account draining.
FIs will be granted a six-month grace period to comply with this additional rule, but all other provisions of the SRF, for both telcos and FIs, will come into effect in December.
Ho Hern Shin, deputy managing director for financial supervision at the MAS, said the new rule is likely to mean that retail customers experience “additional friction” when making large-value transactions.
Complementing Singapore’s multi-sector approach
The duties of telcos under the SRF mainly relate to the implementation of Singapore’s SMS Sender ID Registry (SSIR), which came into effect in full in January 2023.
Under the SSIR regime, all legitimate organisations that send SMS using alphanumeric sender IDs are required to verify themselves. Meanwhile, all SMS sent by non-registered senders are marked as “Likely-SCAM”.
The MAS said the SRF adds to previous anti-scam protections implemented by the IDMA and other agencies, resulting in a “whole-of-ecosystem” approach to prevention and reimbursement.
In June, as covered by Vixio, Singapore's Online Criminal Harms Act (OCHA) came into effect in full, imposing new anti-scam obligations on social media, e-commerce and instant messaging platforms.
The OCHA allows the government to issue directions to online service providers, entities or individuals to disable access to online criminal content or accounts, including scams.
Singapore’s approach looks likely to be emulated by Australia, under its Scams Prevention Framework, and there are growing calls for similar multi-sector measures to be adopted in the UK.
