MAS-IMDA Proposal: Consumers, banks and telecoms to share responsibility in combating digital fraud

SINGAPORE: Amidst a concerning wave of digital fraud, a comprehensive consultation paper released by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) has laid out a meticulous framework that proposes how losses from phishing scams and similar frauds should be apportioned between consumers, banks, and telecommunication companies (telcos).

This initiative marks a significant stride toward fortifying consumer rights while ensuring that institutions uphold stringent security measures.

At the heart of the paper is a “waterfall” approach, which serves as a blueprint for assessing liability in the aftermath of unauthorized transactions. The approach positions financial institutions at the vanguard, necessitating them to implement robust anti-scam measures.

These measures include enforcing a 12-hour cooling-off period for new payees, sending real-time alerts for transactions, and maintaining round-the-clock channels for reporting suspicious activities.

In case of non-compliance or lapses, banks would be obligated to reimburse consumers fully for any losses incurred. This mandate reinforces the institutions’ accountability in their role as custodians of customer funds, a move expected to bolster public confidence in digital banking services.

Simultaneously, the framework delineates specific responsibilities for telcos, necessitating them to enhance security measures.

These include ensuring the authenticity of connections for Sender ID SMS and deploying sophisticated content filters to intercept and block scam-related communication.

Telcos would bear liability for losses if it’s determined that scams succeeded due to shortcomings in these security protocols, despite due diligence on the part of financial institutions.

However, the paper starkly highlights the responsibility of consumers in safeguarding their cyber hygiene. It points out that the onus is on individuals to prevent exposure to scams by maintaining digital diligence.

Under the new framework, consumers would bear the losses if it’s established that they failed to exercise reasonable care, even if banks and telcos have met their respective obligations.

The proposed strategy also entails a systematic four-stage process for managing claims, ranging from the initial submission to investigation, outcome communication, and, if necessary, further avenues for dispute resolution.

This structured approach is anticipated to enhance transparency and efficiency in how scam-related claims are handled, thereby reinforcing consumer trust in digital transactions.

Ms Ho Hern Shin, Deputy Managing Director (Financial Supervision), MAS, said “MAS, the financial industry and other government agencies have been collaborating closely to combat scams. The SRF assigns shared responsibility by specifying upstream anti-scam duties FIs and Telcos have to adhere.”

“Breaches of the duties will result in payouts to affected scam victims. This incentivises vigilance by all parties in the ecosystem to uphold safety in e-payments. Alongside the proposed SRF, we are also proposing amendments to the E-payments User Protection Guidelines (EUPG), to uplift the standards of anti-scam measures across the financial system, and reinforce consumer’s responsibility to take precautions against scams.”

Ms Aileen Chia, Deputy Chief Executive (Connectivity, Development & Regulation), IMDA said “IMDA has worked closely with the Telcos to implement a multi-layered approach to prevent scams from being conducted over calls and SMS.”

“Measures such as the mandatory SMS Sender ID Registry introduced in January 2023 have significantly reduced the number of scam SMS cases by 70% in the 3 months since the Registry’s launch. The inclusion of Telcos in the Shared Responsibility Framework as supporting infrastructure providers serves to strengthen the ecosystem against scams,” added Ms Chia.

Public and industry stakeholders have until 20 December 2023 to provide their feedback on the consultation paper.

What scams are covered in the proposal

The proposed guidelines will initially concentrate on phishing scams that have a distinct connection to Singapore, according to the consultation document.

These types of scams are characterized by situations where victims are lured into interacting with a phishing link, subsequently providing their personal information on a deceptive online portal.

The scams either impersonate entities operating within Singapore or foreign entities servicing Singapore residents.

A common scenario involves scammers masquerading as reputable organizations, such as SingPost or a government agency such as Ministry of Manpower, dispatching counterfeit text messages or emails containing a link to an imitation website.

By asserting issues related to the recipient’s account, they aim to dupe individuals into submitting their account information on the sham site.

However, the framework will not encompass cases where victims knowingly authorize payments, as seen in investment or romance scams, or situations where individuals are conned into directly sharing their details with scammers through messages or analog methods.

Additionally, the authorities will not immediately address malware scams, which have recently witnessed a surge, within this framework.

The reason, as articulated by MAS and IMDA, hinges on the novelty of malware scams and the ongoing deployment of countermeasures, making it untimely to delineate explicit duties for various parties involved.

In response to the evolving threat of malware scams, key retail banks in the region have initiated significant anti-malware defenses and are in the process of implementing a “funds freeze” functionality for enhanced customer protection.

Proposal for banks to reimburse victims in malware scams shot down in Parliament

Sylvia Lim, chairman of the Workers’ Party, previously thrust the issue of compensation in Parliament, proposing banks to fully reimburse scam victims for losses from malware scams beyond their control.

Speaking in an adjournment motion on 18 September, Ms Lim, citing the vulnerabilities inherent in the current digital banking landscape, had declared, “Given the delay in the publication of this framework, many scam victims have been left without recourse under the Loss Sharing Framework by no fault of their own.”

She further championed the need for stronger consumer protection protocols, referencing models in jurisdictions like the UK where banks play a more proactive role in scam prevention and victim reimbursement.

However, her proposal met resistance from Minister of State for Trade and Industry, Mr Alvin Tan. He contended that an unequivocal restitution policy could inadvertently undermine personal accountability.

In a definitive rebuttal, Mr. Tan stated, “Full restitution without due consideration of culpability is neither fair nor desirable. Doing so can erode vigilance and personal responsibility, and lull users into complacency.”

Mr Tan underscored the government’s comprehensive strategy against digital fraud, referring to the strengthening of system security via multi-factor authentication and the launch of public education campaigns and anti-scam applications like Scamshield.

He further emphasized the importance of consumer responsibility in ensuring transaction security: “Even with enhanced security, scammers can still bypass the digital security measures. This is why every consumer has to play an important role by practising good cyber hygiene and being digitally diligent.”