FINANCIAL institutions (FIs) and telecommunications companies in Singapore may soon have to share the responsibility of losses by victims of phishing scams if they fail to put in place measures to protect their customers.

This is among the proposals in a joint consultation paper released by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) on Wednesday (Oct 25).

The paper seeks industry views on a proposed framework under which banks, telcos and scam victims share responsibility for losses.

MAS first announced the development of the framework in February 2022, after phishing scams were perpetrated against OCBC customers using short message service (SMS) technology.

It builds on an earlier framework by the Payments Council that covered only FIs. But telcos have been included in the new framework, given that they facilitate the sending of SMS messages, which remain an official communication channel and a means of sending authorisation codes such as SMS one-time passwords (OTPs).

The paper said: “As infrastructural players, telcos play a supporting role in fostering the security of digital banking and digital payments, by implementing scam disruption measures within the SMS communications networks that reduce the risks of scam SMS being delivered to consumers.”

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

By setting out discrete and well-defined duties for FIs and telcos to mitigate the risk of consumers falling prey to phishing scams, MAS said the proposed framework aims to strengthen the “direct accountability” of these companies to consumers.

In phishing scams covered under the framework, losses are assigned to FIs and telcos only when they fail to carry out the duties assigned to them.

For example, when a digital security token is activated, FIs have to impose a 12-hour cooling-off period – during which certain high-risk activities cannot be performed.

Telcos, on their part, are required to implement an anti-scam filter to block SMSes with known phishing links, for example.

Under a “waterfall approach”, the framework places the responsibility on the FIs to bear the full loss first, followed by the telcos.

“If FIs and telcos have fulfilled their duties, the Shared Responsibility Framework (SRF) will not require payouts to be made to consumers.

“It is therefore critical for consumers to continue to exercise vigilance at all times, and not click on unsolicited, suspicious links,” the paper said.

The proposed framework will exclude certain types of transactions and scams.

For instance, scams in which victims authorise payments to a scammer will not be covered. This would include investment scams or love scams.

“Such scams also do not fundamentally affect confidence in digital payments or digital banking, as they can equally happen in the non-digital world,” the paper said.

Because the SRF is designed to cover phishing scams that happen digitally, scams in which consumers are tricked into giving away their credentials will not be covered as well.

“This takes into account years of public education to sensitise consumers to the fact that they should never reveal their credentials or OTP directly to anyone under any circumstances,” the paper said.

Other emerging scam variants that do not involve phishing, such as identity theft and malware scams, are also not covered by the framework.

“It is premature to set out specific malware scam-related duties for different stakeholders at this stage, as these measures are still developing and will evolve significantly, given the nature of malware scams,” the paper said.

How claims are processed

Those who find out that they have been scammed are expected to make a police report, and then provide the report and a valid e-mail address to file a claim with their FI.

If the scam was perpetrated through SMS, both the FI and telco investigate the victim’s claim. But if the scam was perpetrated on another platform, only the FI will investigate the scam.

Claims for straightforward cases should be investigated within 21 business days; complex cases could take up to 45 business days.

“Complex cases may include cases where the consumer or any other party involved in the claim is overseas and uncontactable during the investigation period,” the paper said.

At the end of an investigation, victims a written reply with the outcome of the probe, and an assessment of the consumer’s responsibility for the losses.

A consumer who disagrees with the finding may approach the Financial Industry Disputes Resolution Centre (FIDReC). The victim may also write to IMDA if it disagrees with the telco’s assessment on the breach of its duties, or file a claim with the courts.

MAS deputy managing director of financial supervision Ho Hern Shin said that aside from the proposed framework, the central bank will propose amendments to the e-payments user-protection guidelines.

These amendments aim to “uplift the standards of anti-scam measures across the financial system, and reinforce consumers’ responsibility to take precautions against scams”, she said.

IMDA deputy chief executive of connectivity, development and regulation Aileen Chia noted that scam SMS cases fell by 70 per cent three months after the SMS Sender ID Registry was introduced in January 2023.

The registry requires companies to register their sender IDs and engage an authorised aggregator to send their SMSes.

In response to the release of the consultation paper, Singtel said it will review the document and respond in due course.

The telco added that it proactively blocks scam calls and messages, and is helping to raise scam awareness among members of the public through its digital-literacy programmes.

Similarly, a M1 spokesperson said that it has also been proactively sharing alerts with customers to help them recognise and avoid scams. The company will also review the consultation paper and respond to regulators.

Association of Banks in Singapore director Ong-Ang Ai Boon said the proposed framework is a “good first step” in setting the baseline for shared responsibility for preventing scams across the digital ecosystem.

“To bolster our fight against scams and fraud, we believe that it is necessary for us to galvanise collective action, which includes other members of the digital ecosystem, such as tech companies and e-commerce platforms,” she said.

She added that banks will continue to introduce new anti-scam measures and enhancements. While these measures may cause customers some inconvenience, they are “necessary safeguards” to protect them from scammers and to maintain confidence in digital banking services, she said.