The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) today published a joint consultation paper proposing a Shared Responsibility Framework (SRF) for phishing scams.
The SRF assigns financial institutions (FIs) and telecommunication companies (Telcos) relevant duties to mitigate phishing scams, and requires payouts to affected scam victims where these duties are breached.
The SRF builds on the work done last year by the Payments CouncilThe Payments Council comprises the major providers and user groups of payment services in Singapore, and is chaired by MAS. on a framework for sharing losses due to phishing scams that covered only FIs. The SRF includes FIsFIs include banks holding full bank licences and major payment institutions that offer account issuance services. , who play a critical role as gatekeeper against the outflow of monies due to scams, as well as TelcosTelcos refer to Mobile Network Operators., who play a supporting role as infrastructure providers for SMS which is used by FIs as an official communication channel.
Among scam types prevalent today, digitally-enabled scams that result in unauthorised transactions are of particular concern. As such transactions are performed without the customer’s knowledge or consent, they could undermine confidence in our digital banking and payments systemsThese scams are distinct from those that involve authorised transactions carried out with the customer’s knowledge and consent, e.g. investment scams, job scams, love scams, etc..
The SRF will focus on a defined scope of phishing scams, where consumers are deceived into revealing their account credentials to scammers impersonating legitimate entities, leading to unauthorised transactions being performed.
The proposed framework aims to strengthen the direct accountability of FIs and Telcos to consumers. It sets out discrete and well-defined dutiesRefer to for the duties of FIs and Telcos under the SRF. for FIs and Telcos to mitigate the risk of consumers falling prey to phishing scams. Breaches of these duties, such as a failure to send outgoing transaction notification(s) to consumers in the case of FIs, and a failure to implement a scam filter in the case of Telcos, would be the starting point for determining the party to be held responsible for losses under the framework. It therefore incentivises FIs and Telcos to strictly uphold the desired standards of anti-scam controls.
The consideration of which party will bear responsibility for the losses is accordingly based on a “waterfall approach”. FIs, followed by Telcos, are expected to bear the full loss, if they fail to discharge their respective prescribed duties. FIs stand first in line, given that they hold greater responsibility as custodians of consumers’ money. Telcos stand second in line, as they play a secondary role in fostering security of digital payments by facilitating SMS delivery. If FIs and Telcos have fulfilled their duties, the SRF will not require payouts to be made to consumers. It is therefore critical for consumers to continue to exercise vigilance at all times and not click on any unsolicited, suspicious links.
The SRF will not cover malware-enabled scams (malware scams). Although malware scams also result in unauthorised transactions which could undermine confidence in digital banking, this type of scam is relatively new, and it is premature to set out specific malware scam-related duties at this stage given that these risk-mitigating measures are still developing.
8 The Government is resolute in fighting malware scams and has been working closely with the industry to take upstream and downstream safeguard measuresRefer to ABS’ media release on “Banks in Singapore will do their part to protect customers against scams” dated 24 October 2023, , together with extensive public educationRefer to Reply to Adjournment Motion on “Losses from Scams and Malware Fraud: Doing Right by Bank Customers” dated 18 September 2023, . The Government will continue to monitor the evolving scam landscape in the future application of the SRF.
The joint consultation paper seeks comments on the scope of the SRF, duties of FIs and Telcos under the framework, and the approach for payouts for scam losses, among others. The Government will carefully take into account these comments when finalising the framework.
Ms Ho Hern Shin, Deputy Managing Director (Financial Supervision), MAS, said “MAS, the financial industry and other government agencies have been collaborating closely to combat scams. The SRF assigns shared responsibility by specifying upstream anti-scam duties FIs and Telcos have to adhere. Breaches of the duties will result in payouts to affected scam victims. This incentivises vigilance by all parties in the ecosystem to uphold safety in e-payments. Alongside the proposed SRF, we are also proposing amendments to the E-payments User Protection Guidelines (EUPG), to uplift the standards of anti-scam measures across the financial system, and reinforce consumer’s responsibility to take precautions against scams.
Ms Aileen Chia, Deputy Chief Executive (Connectivity, Development & Regulation), IMDA said “IMDA has worked closely with the Telcos to implement a multi-layered approach to prevent scams from being conducted over calls and SMS. Measures such as the mandatory SMS Sender ID Registry introduced in January 2023 have significantly reduced the number of scam SMS cases by 70% in the 3 months since the Registry’s launch. The inclusion of Telcos in the Shared Responsibility Framework as supporting infrastructure providers serves to strengthen the ecosystem against scams.”