MAS to draw up framework for ‘equitable’ sharing of scam losses

THE Monetary Authority of Singapore (MAS) is developing a framework on how losses arising from scams are to be shared among consumers and financial institutions. It is also working with the banking industry on "longer-term measures" to enhance the security of digital banking, the regulator said on Friday (Feb 4).

Legal experts welcomed the move, noting that it can improve transparency and strengthen consumer confidence, especially with a larger number of financial services being digitalised.

Under the framework, financial institutions will be responsible for protecting their customers, such as through robust controls to safeguard customer accounts, and effective measures to detect and respond to suspicious transactions.

Meanwhile, consumers also have to take the necessary precautions, including not giving away personal or banking credentials to others, avoid clicking on links in SMSes or emails that are claimed to be sent by a bank and transacting only through the bank's official website or mobile application.

The proportion of losses each party bears will depend on whether and how the party has fallen short of its responsibilities.

"MAS expects financial institutions to treat their customers fairly and bear an appropriate proportion of losses arising from scams. At the same time, care must be taken to ensure that compensation paid to customers does not weaken their incentive for all to be vigilant," the authority said.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

The Payments Council, chaired by MAS, has been working since July 2021 on the framework, MAS said. It aims to publish the framework for public consultation within the next 3 months. Other than the sharing of losses, the consultation will also cover the responsibilities of other key parties in the system.

MAS's announcements come after close to 800 OCBC customers lost a combined S$13.7 million when scammers took advantage of old short message service (SMS) technology to impersonate the bank and dupe victims into handing over their online banking log-in detailsannouncements come after close to 800 OCBC customers lost a combined S$13.7 million when scammers took advantage of old short message service (SMS) technology to impersonate the bank and dupe victims into handing over their online banking log-in details.

The regulator also said on Friday that OCBC's recent goodwill payouts to fully cover customer losses were a "one-off gesture" and do not set a general precedent for future cases. Circumstances around these payouts include the bank's consideration of how it had not met its own expectations of customer service and do not set a general precedent for future cases.

Associate Professor Christian Hofmann, head of financial regulation and central banking at the National University of Singapore's (NUS) Centre for Banking & Finance Law, welcomed the initiative because it would end a "problematic regulatory vacuum" in the area of fraudulent payment transactions in Singapore and bring the city-state at level with other jurisdictions such as the European Union, which has had rules in place for over a decade.

In drawing up the framework, MAS should distinguish between different types of fraudulent attacks, Hofmann said. For instance, the recent phishing scams prompted reactions from customers that enabled the fraudulent transactions. In these instances, the question of whether customers were negligent can be assessed based on their actions. Reasons to hold customers responsible will be even less likely in, say, malware scenarios, because these transactions are not steered by individual conduct, he said.

Wilson Ang, partner and head of regulatory compliance and investigations at Norton Rose Fulbright (Asia), said a party that had been "clearly or repeatedly negligent, or suffered an obvious lapse in judgement or procedure", should be prepared to take on more blame. Other considerations the framework should take into account include whether preventive steps were taken, mitigation measures after the incident, and the party's financial ability to shoulder the burden.

MAS will also have to decide whether such a framework should be mandatory, or voluntary, as is the case for the UK's Contingent Reimbursement Model, he said.

Nevertheless, having a framework "improves customer confidence and avoids the unrealistic perception that banks will always provide 100 per cent compensation to the victims", Ang added.

That said, lawyer Amolat Singh said that as large business entities, banks could be held to "higher and stricter standards" in implementing and updating their security measures and responsiveness to breaches. But customers deemed to have acted in ways that no ordinary, reasonable person would have done, such as out of sheer greed, therefore leading to a successful scam, would have to shoulder a higher proportion of blame, he said.

Law professor Kelvin FK Low from NUS said the framework should incentivise parties to reduce incidences of fraud in the first place. "It is not reasonable to expect all customers to never fall prey to scams though it would be fair to allocate losses to them if they have demonstrated gross negligence," he said. 

READ MORE:

• MAS and ABS introduce new measures to bolster digital-banking security
• Economists not ruling out further tightening by MAS in April despite surprise off-cycle move
• Banks imposing extra security measures after recent SMS scams; OCBC will make 'full goodwill payouts'