MAS and IMDA propose for certain financial institutions and telcos to share responsibility in losses arising from digital phishing scams with a Singapore link.

Insights

MAS, IMDA Propose Shared Responsibility for Scam Losses

Date
October 30, 2023
Author
OrionW

The Monetary Authority of Singapore (MAS) and the Info-communications Media Development Authority (IMDA) released the proposed Shared Responsibility Framework (SRF) for public consultation on 25 October 2023.  Under the proposed SRF, certain financial institutions (Responsible FIs) and mobile network operators (Responsible Telcos) will share responsibility in scam losses under the so-called ‘waterfall’ approach if they breach their respective duties to detect and combat scams.

Covered Scams

The proposed SRF only applies to digital phishing scams with a Singapore link, such as where an individual, after clicking a phishing link, unknowingly gives their account details to persons impersonating entities in Singapore or entities otherwise offering their services to Singapore residents.  This limited scope is consistent with the policy objective of preserving confidence in digital payments and digital banking in Singapore.

Notably, divulging account credentials to the scammer directly through non-digital means (e.g., by text message) or where payments are authorised by the victims themselves (e.g., love scams), are excluded from the proposed SRF. Unauthorised transactions through hacking and malware are also excluded. For these types of scams, victims may rely on existing remedies, including filing a dispute with the Financial Industry Disputes Resolution Centre Ltd (FIDReC).

Responsible FI Duties

 Responsible FIs, i.e., full banks and major payment institutions issuing payment accounts that hold e-money are required to:

  • impose a 12-hour cooling off period after digital security token activation where ‘high-risk’ activities, such as adding new payees, increasing transaction limits, disabling transaction notification alerts and changing contact information, cannot be performed;
  • provide real-time notification alerts for digital security token activation and high-risk activities;
  • provide real-time outgoing transaction notification alerts in line with industry-baseline notification thresholds or the threshold selected by the consumer; and
  • provide a 24/7 reporting channel to report, and a kill switch to block, unauthorised account access.

These duties are aligned with the Proposed E-Payments User Protection Guidelines (see our article here).

Responsible Telcos Duties

Under the proposed SRF, Responsible Telcos must:

  • connect only to authorised aggregators for delivery of SMS messages with alphanumeric Sender IDs (Sender ID SMS) that originate from bona fide senders registered with the SMS Sender ID Registry;
  • block Sender ID SMS which are not from authorised aggregators; and
  • implement an anti-scam filter overall SMS to block SMS with known phishing links.

Shared Responsibility– Waterfall Approach

To determine who is responsible for losses arising from a covered scam, the proposed SRF uses the 'waterfall approach,' where:

  • the Responsible FI is fully liable if it breaches any of its SRF duties;
  • if the Responsible FI's duties are fulfilled, the Responsible Telco will be fully liable if it breaches any of its SRF duties; and
  • if both the Responsible FI and Responsible Telco have carried out their SRF duties, the consumer bears the full losses, but may opt to take action through other avenues of recourse.

Claims Process

The proposed SRF also includes a streamlined 4-stage claims process where a claiming consumer will only contact the Responsible FI (except in case of a telco-specific query).  In turn, the Responsible FI will assess if the claim falls within the SRF’s scope and will coordinate with any Responsible Telco.

Both the Responsible FI and the Responsible Telco should investigate the claim if it involves phishing through SMS; otherwise only the Responsible FI should investigate. Investigations involving straightforward cases are expected to finish within 21 business days, while complex cases (e.g., where a party involved in the claim is overseas and uncontactable) may take up to 45 business days.

Conclusion

The proposed SRF strengthens Singapore’s commitment to addressing digital phishing scams.  Through the ‘waterfall’ scheme, a balanced approach is implemented, where Responsible FIs and Responsible Telcos are made accountable for their breaches, but individuals are also urged to be discerning and vigilant.  While the proposed SRF is currently limited as to the covered scams, the stakeholders and their duties and the payout conditions, regulators will review and update it as necessary.

For More Information

OrionW regularly advises clients on payment services matters. For more information about the regulation of payments services in Singapore, or if you have questions about this articles or other payment services matters, please contact us at fintech@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.

Newsletter

Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Please read our Privacy Policy. You can unsubscribe at any time.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
contact us
OrionW LLC
Level 37, 16 Collyer Quay
Collyer Quay Centre
Singapore 049318

OrionW is a boutique law firm specialising in Singapore and cross-border corporate, commercial and regulatory matters, with a focus on technology, media and telecommunications (TMT) and financial technology (FinTech). We are dedicated to providing excellent legal service to clients at the leading edge of their markets.

OrionW LLC (UEN 201505714C) is a Singapore law practice incorporated with limited liability.