The Monetary Authority of Singapore (MAS) is consulting on proposed updates to the E-Payments User Protection Guidelines (EUPG) to improve anti-scam controls and emphasise consumer vigilance and responsibility in view of the rising incidence of digitally-enabled scams.
The EUPG applies to (a) financial institutions (Responsible FIs) that issue or operate protected accounts, which are essentially payment accounts of individuals (including sole proprietors) that can hold more than S$500 (or its equivalent foreign currency) and can be used for electronic payment transactions, and (b) users of protected accounts.
Key Proposed Changes
The Proposed EUPG sets out the following key enhancements:
-
Restrictions on sending clickable links and phone numbers: A Responsible FI must:
-
not send clickable links via email or SMS to a protected retail banking account holder unless (a) the link is only informational and does not require the account holder to perform a transaction or install an application and (b) the account holder is expecting the link; and
-
not send phone numbers via SMS to a protected account holder unless the latter is expecting it.
- Real-time notifications: Real-time notifications must be sent to protected account holders when (a) their digital security token is activated; (b) a high-risk activity (e.g., adding of payees to the accountholder's payment profile, increasing transaction limits for outgoing payment transactions) is being performed or (c) an outgoing payment transaction in excess of the transaction notification threshold is being made.
- Cooling-off period: A digital security token should be allowed to authenticate a high-risk activity only after 12 hours from the time of its activation.
- Kill switch: A Responsible FI must provide account holders with kill switches to block further mobile and online access to the protected account.
- Responsibilities during scheduled downtime: The obligations to provide real-time notifications and kill switches apply even during a scheduled system downtime.
-
Additional account holder duties: Account holders will be responsible for:
-
using strong passwords or strong authentication methods such as facial recognition or fingerprint authentication;
-
not jailbreaking or rooting devices they use;
-
downloading Responsible FI's mobile application from official sources only;
-
using a Responsible FI’s contact details obtained from official sources;
-
not clicking on unexpected links purportedly from a Responsible FI;
-
reading and understanding risk warning messages before performing high-risk activities;
-
reporting any unauthorised activity to the Responsible FI within 30 calendar days after receipt of notification for such activity; and
-
activating the kill switch provided by the Responsible FI upon being notified of an unauthorised transaction.
-
Dispute resolution process: A Responsible FI must:
-
have a dispute resolution mechanism to process disputes over claim investigation results (Disputed Investigation), including reporting channels for account holders to raise the Disputed Investigation;
-
complete a Disputed Investigation within 21 business days from its receipt, unless exceptional circumstances warrant an extension; and
-
waive or withhold settlement of charges directly relating to the disputed transaction until the final resolution of the Disputed Investigation, including after any dispute before the Financial Industry Disputes Resolution Centre (FIDReC).
Conclusion
The proposed changes to the EUPG introduce new wide-ranging duties and responsibilities on both Responsible FIs and account holders to address digital scams. As noncompliance can lead to substantial financial losses, Responsible FIs and account holders should be mindful of the changes to the EUPG, and be ready to comply once the updated EUPG is finalised and implemented.
For More Information
OrionW regularly advises clients on payment services matters. For more information about the regulation of payments services in Singapore, or if you have questions about this articles or other payment services matters, please contact us at fintech@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.