SINGAPORE: Banks must block or hold for 24 hours suspicious transactions involving more than S$25,000.
This move must be part of banks’ real-time fraud surveillance to substantially reduce cases of customers having large sums of money rapidly drained from their accounts without their knowledge, the Monetary Authority of Singapore announced on Thursday (Oct 24).
It is among newly-announced measures to counter phishing scams that could undermine confidence in Singapore’s digital banking and payments systems.
This was spelt out under the finalised Shared Responsibility Framework (SRF) for phishing scams, unveiled on Oct 24.
The SRF complements existing moves which have been made to counter scams. For instance, major retail banks have been restricting access to their apps if customers had downloaded apps from untrusted installers or apps with risky permission settings to counter malware-related scams.
Banks have six months from Dec 16, the date the SRF kicks in, to implement this new measure.
The finalised SRF governs how financial institutions and telcos may share in paying out victims’ losses in certain phishing scams if the organisations fail to perform their duties.
It aims to save consumers hassle when they are seeking reimbursement. Currently, the onus is on them to provide proof that their losses were not due to their own negligence.
Overall, banks have to fulfill five key duties, and telcos three key ones, under the SRF. If these organisations do what is neccesary under the framework, consumers will bear the full losses.
“With the addition of a new fraud surveillance duty, some retail customers may experience more inconvenience when conducting larger value transactions,” said Ms Ho Hern Shin, deputy managing director (Financial Supervision) at MAS.
“This additional friction is necessary to protect customers against large unauthorised transactions.”
The finalised SRF comes after two months of industry consultation at the end of 2023 and almost a year of deliberation by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority of Singapore (IMDA).
It is not meant to be a catch-all fraud reimbursement framework. For instance, it does not offer coverage in the case of payments arising from investment or love scams, or fraudulent transactions due to hacking, identity thefts or the downloading of malware.
The scope of the SRF is confined to phishing scams conducted on a digital platform, such as a fake website accessed through a link, where victims are tricked into entering their account details.
Organisations that get impersonated must either be based in Singapore or they must have already offered services to Singapore residents.
For instance, this includes cases where a fraudster pretends to be from a legitimate entity such as SingPost or DHL and sends e-mails or SMSes claiming account-related issues, to trick victims into clicking a link to a fake website to enter their account details.
Also included are cases where a scammer claims to be from a financial institution offering deals like high interest rates on fixed deposits and free mobile phones to trick victims into clicking a link to a fake website to enter account credentials.
The SRF establishes the process for determining payouts arising from scam losses – by first examining whether financial services providers and telcos had fulfilled their duties. Singapore is possibly the first jurisdiction to include telcos in a fraud reimbursement framework.
MAS and IMDA said that banks and payment services providers are custodians of consumer funds and play a critical role as gatekeepers against money being misappropriated by scammers, while telcos are the infrastructure providers for SMS texts often used by banks to communicate with consumers.
First in line to be examined are banks, such as DBS Bank, UOB, OCBC Bank and Citibank, and payment service providers that offer e-wallets, such as Grab, YouTrip and Revolut. If they fail in any of their duties, they will be fully liable for the losses.
Banks’ other duties include imposing a 12-hour cooling-off period to prevent large sums from being transferred from an account to a third party if a scammer has phished a person’s credentials and activated a digital security token.
The 12-hour cooling-off will also apply to logins to an e-wallet such as Grab on a new device.
Banks and payments services providers are also expected to send real-time alerts to consumers for high-risk activities – including change of account contact details, increase in transaction limits and adding new payee – or when there is a login to an e-wallet on a new device.
Next to be examined are the four local telcos Singtel, StarHub, M1 and Simba Telecom - if banks have fulfilled all their duties. Telcos will need to bear the full loss amount if they fail to fulfil any of their duties.
Telcos are expected to reduce the risk of scam SMSes being sent to consumers by running an anti-scam filter on their networks and blocking those with known phishing links under the SRF.
Also, telcos can deliver a sender identification SMS to a subscriber only if it originates from an authorised aggregator.
An aggregator is a link between a business that wants to send an SMS and the mobile phone network that delivers it to a user’s mobile phone. Failure to do so may make them liable for losses.
But if the telcos, too, carry out their duties properly, they will not be required to reimburse phishing victims, particularly those who are duped into revealing their account credentials, such as usernames and passwords, to scammers impersonating legitimate entities such as government agencies or banks.
Consumers in such cases will have to bear the full loss. They can take action by lodging a complaint at the Financial Industry Disputes Resolution Centre.
Scam victims lost a record high of more than $385.6 million in the first six months of 2024 due largely to e-commerce, jobs and phishing fraud. If the trend continues, scam losses could exceed $770 million by the end of 2024. The annual record stands at $660.7 million lost in 2022.
Losses due to phishing scams alone totalled $13.3 million in the first six months of 2024, up from $7.3 million in the same period a year ago.
Aileen Chia, IMDA deputy chief executive (Connectivity, Development & Regulation), said the authority has worked closely with the telcos to secure the SMS channel, an official channel adopted by banks for digital banking.
The SMS Sender ID Registry and anti-scam filters resulted in over 20 million SMSes blocked since 2023, she added.
The SMS Sender ID Registry is aimed at countering SMS spoofing by scammers who lure their victims by using fake SMS sender names in their messages.
To tighten the reins on phishing scams, MAS is also studying stronger authentication solutions, such as the use of Fast IDentity Online (Fido)-compliant tokens.
Fido is a set of open, standardised authentication protocols intended to ultimately eliminate the use of passwords for authentication. Passwords are costly to manage and a known security risk because they are easily compromised.
Countries like Australia have also considered shared loss schemes as a result of scams. The European Commission has proposed a “refund” to victims of certain types of fraud, while Britain is planning to enforce mandatory reimbursement by banks to scam victims of up to £1 million (S$1.66 million) – with the sending and receiving banks sharing the bill. - The Straits Times/ANN