Singapore’s regulators are developing a framework for shared responsibility in dealing with phishing scams, noting that financial institutions and telecommunication companies can do more.
The Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) have published a joint consultation paper proposing a Shared Responsibility Framework (SRF) for phishing scams.
Stakeholders now have until December 20, 2023 to respond to this consultation.
“This incentivises vigilance by all parties in the ecosystem to uphold safety in e-payments,” said Ho Hern Shin, deputy managing director at the MAS.
The official also said that the MAS is proposing amendments to the E-Payments User Protection Guidelines (EUPG), which were originally put in place in 2018.
This is to uplift the standards of anti-scam measures across the financial system and reinforce consumer’s responsibility to take precautions against scams.
Under the SRF, financial institutions and telecommunication companies would assign relevant duties to mitigate phishing scams, and payouts to affected scam victims where these duties are breached would be required.
The framework builds on the work done last year by the Payments Council on a framework for sharing losses due to phishing scams that only cover banking and payment firms.
This new model includes financial institutions that play a critical role as the gatekeeper against scam transactions taking place, as well as telecommunication companies, whom the regulators say play a supporting role as infrastructure providers for SMS. which is used by financial institutions as an official communication channel.
The framework will define the scope of phishing scams, where consumers are deceived into revealing their account credentials to scammers impersonating legitimate entities, leading to unauthorised transactions being performed.
Here, the proposed framework aims to strengthen the direct accountability of financial services and telecommunication firms to consumers, mitigating the risk of consumers falling prey to phishing scams.
Breaches of duties, such as a failure to send outgoing transaction notification(s) to consumers in the case of financial institutions, and a failure to implement a scam filter in the case of telecommunication firms, would be the starting point for determining the party to be held responsible for losses under the framework.
The hope is that this will incentivise firms in both sectors to strictly uphold the desired standards of anti-scam controls.
'A waterfall approach'
The MAS and IMDA have said that considerations of which party has responsibility is based on a so-called “waterfall approach”.
In this instance, financial institutions, followed by telecommunication firms, are expected to bear the full loss, if they fail to discharge their respective duties as prescribed.
According to the regulators, financial institutions “stand first in line”, due to the fact that they hold greater responsibility as monetary custodians for customers.
Telecoms companies, meanwhile, are regarded as having a “second in line” role in fostering the security of digital payments by facilitating SMS delivery.
If both parties have fulfilled their duties, the SRF will not require payouts to be made to consumers.
The SRF will also not cover malware-enabled scams, meanwhile, due to the fact that these types of scam are newer.
The authorities regard it as premature to set out specific malware scam-related duties at this stage given that these risk-mitigating measures are still developing.
Political pressure
As with their counterparts in Europe, the MAS appears keen to establish a framework to better account for fraud issues.
With the rise of digital payments has come the rise of fraudulent activity, and regulators have been keen to take stock of that.
Part of this may be owing to political pressure.
For example, in September 2023, an opposition member of parliament, Sylvia Lim, raised concerns about financial losses from scams.
This prompted a response from the Singaporean government, with trade and industry minister Alvin Tan saying that the government “shares her concerns”, cautioning that “scams are an ever-present and evolving threat”.
“The government will spare no effort to implement effective upstream and downstream anti-scam measures alongside industry,” he said.
Tan continued that the government could “inevitably sacrifice some convenience to achieve better security”, while stating that a “discerning and vigilant public remains an essential pillar in our collective fight against scams”.
The government was also asked in May 2023 to provide updates on the SRF by Lim Wee Kiak, a member of the governing party.
Taking a different approach
Singapore’s approach is different to its European counterparts, where the onus is generally entirely on the banks to provide compensation.
This has created tension in the banking and payments industry, with key players including the UK Payments Association and large retail banks such as Barclays, TSB and Santander warning that scams often evolve on social media platforms, yet those companies are not held accountable.
Meanwhile, the EU’s proposed Payment Services Regulation demands that payment service providers (PSPs) refund consumers if they were coaxed into making a transaction by a criminal impersonating their PSP, provided that the consumer has reported the incident to the police and notified its PSP without delay.
This highlights that the MAS approach is relatively light touch and spreads the burden, in a way that has not been accounted for yet by European governments and regulators attempting to tackle the issue.
However, similarly to the EU and UK, Singaporean regulators have not yet placed any financial burden on social media firms. The MAS, for example, has no oversight over them.
The Online Criminal Harms Act (OCHA), which was enacted in July 2023, includes powers to issue codes of practice that promote and require good practices by designated providers to counter scams and malicious cyber activities.
The OCHA also includes powers to direct a designated provider to implement measures to minimise the exposure of Singapore users to scams or malicious cyber activities.