SINGAPORE — Financial institutions will be expected to bear the full losses incurred by customers in phishing scams if they are found to have breached proposed anti-scam obligations outlined on Wednesday (Oct 25).
Next in line for incurring any losses would be telecommunication companies (telcos) if they fail in their duties set out in a consultation paper released by the authorities.
Consumers would have to bear losses only if both the financial institutions and telcos have met all their obligations, the paper proposed.
The framework is set to be introduced next year after the consultation period which runs till Dec 20. Tweaks may be made based on feedback received.
Phishing scams are where scammers impersonate an entity such as a bank with the goal of tricking a customer into clicking on a link and providing personal details which allow the scammer to get their money.
The proposed Shared Responsibility Framework (SRF) for phishing scams was unveiled in a joint consultation paper published by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA).
While different stakeholders — including banks and consumers — are expected to stay vigilant and responsible in combating such phishing scams, the framework proposes that financial institutions are held primarily accountable for losses incurred from these digital phishing scams.
The proposed framework covers not just financial institutions but also telecommunication companies.
If implemented, Singapore would be the first jurisdiction to hold telcos accountable for bearing losses incurred from such phishing scams.
“The inclusion of telcos will be a unique aspect of Singapore’s SRF. Currently, no known jurisdictions have included telecommunication operators or other infrastructure service providers in their scam reimbursement frameworks,” said MAS and IMDA.
The framework takes a so-called “waterfall approach” where responsibility for losses cascades from financial institutions and telcos ahead of consumers, if these companies fail to meet their obligations as set out in the framework.
The proposed framework will also streamline reporting processes for consumers, as the financial institution would remain the first and overall point of contact for the consumer throughout the reporting and investigation process.
MALWARE SCAMS NOT COVERED UNDER FRAMEWORK
The introduction of the proposed framework comes on the heels of a rising number of phishing scams, which are among the top five scam types in Singapore.
In Wednesday’s joint consultation paper, the authorities said that phishing scams account for a “sizeable proportion” of such unauthorised transactions.
TODAY has asked MAS for statistics on the proportion of phishing scams reported that are banking-related.
In the consultation paper, MAS and IMDA said the proposed framework will cover digitally-enabled phishing scams with a “clear Singapore nexus” for now.
This means that any entities impersonated in phishing scams should either be Singapore-based, or entities based overseas that offer their services to Singapore residents.
Phishing scams generally involve consumers being deceived into clicking on a phishing link and entering their credentials on a fake digital platform.
In doing so, they unknowingly reveal their credentials to scammers, who can proceed to perform unauthorised transactions from their accounts.
Under the consultation paper, malware-enabled scams would not be covered under the proposed framework.
Malware is short for “malicious software” and refers to a different technique used by scammers where they attack the computer system of the entity, such as a bank, directly.
As malware scams are still relatively new, it is “premature to set out specific malware scam-related duties at this stage given that these risk-mitigating measures are still developing,” said the authorities.
Nevertheless, they added that the Government would “continue to monitor the evolving scam landscape” in future applications of the framework.
The current proposed framework would also exclude:
Scams where victims authorise payments to the scammerScams where a consumer was deceived into giving away his or her credentials directly to the scammer, via text messages and non-digital means — such as phone calls or face-to-faceUnauthorised transaction scam variants that do not involve phishing — such as hacking or identity theftUnder the proposed framework, financial institutions must:Impose a 12-hour cooling off period upon activation of digital security tokens, during which high-risk activities cannot be carried outProvide real-time notification alerts for the activation of digital security tokens or conducting of high-risk activitiesProvide real-time outgoing transaction notifications by way of SMS, email or in-app notification, as selected by consumerProvide a 24-7 reporting channel and a self-service feature for consumers to promptly block unauthorised transactions made from their accounts
Under the proposed framework, telcos must:
Connect only to authorised aggregators for the delivery of Sender ID SMSes to ensure these SMS originate from bona fide senders registered with the SMS Sender ID RegistryBlock Sender ID SMS which are not from authorised aggregators to prevent delivery of Sender ID SMS originating from unauthorised SMS networksImplement an anti-scam filter over all SMS to block SMS with known phishing links
In the event that these duties are breached, the framework proposes that:
Financial institutions will primarily be held accountable, and are first in line to bear the full losses incurredIf the financial institution has fulfilled all its necessary duties and the telco is instead assessed to have breached its duties, the telco will be expected to bear the full losses incurred. The telco will only be held liable if the phishing scam was perpetrated via SMSIf both the financial institution and telco have carried out their necessary duties, the consumer would then bear the full losses
Still, while the proposed framework will ensure financial institutions and telcos are held primarily accountable, it will not absolve consumers of their continued individual responsibilities.
“A discerning and vigilant public remains the first line of defence against scams,” said MAS and IMDA.
“Individuals have a responsibility to mitigate the occurrence of scams by practising proper cyber hygiene and not giving away their credentials to a third party under any circumstance,” they added.
Industry stakeholders and members of the public interested to weigh in on the framework may do so online at go.gov.sg/srfconsultation2023 from Wednesday.
WORKFLOW FOR REPORTING AND PROCESSING CLAIMS
In the consultation paper, MAS and IMDA propose the following four-stage workflow for handling consumer claims regarding losses incurred from phishing scams:
1. Claim Stage
A responsible financial institution would be the first and overall point of contact with the consumerThe financial institution should assess if the claim falls within the proposed framework’s scopeIt will also be responsible for informing a telco for subsequent investigations, where applicable
2. Investigation Stage
A responsible financial institution and responsible telco, where applicable, should conduct the investigation in a fair and timely mannerThey should ensure, through appropriate governance structures, that there are independent processes for investigating consumer claims
3. Outcome Stage
The responsible financial institution should inform and explain the investigation outcome to the consumerThis will include the quantum of payouts, if any
4. Recourse Stage
Where an account holder is dissatisfied with the outcome at the Outcome Stage, he or she may pursue further action through avenues of recourse such as the Financial Industry Disputes Resolution Centre Ltd (FIDReC) or IMDA
Throughout the four stages of the claims process, MAS and IMDA propose that a single responsible financial institution be the primary point of contact with the consumer.
Having said that, the financial institution may also loop in the responsible telco to communicate with the consumer.
This should only be done in specific situations — such as to address a telco-specific query for a claim — and ought to be carried out within a single communication chain.
“This is to minimise the burden on consumers to liaise separately with the responsible financial institution and responsible telephone company in times of distress,” said the authorities.