The Monetary Singapore Authority of Singapore (MAS) and Infocomm Media Authority (IMDA) published a joint consultation paper, which sets out a Shared Responsibility Framework (SRF) allocating losses arising from scams among financial institutions (FIs), telecommunication operators (telcos) and consumers.
Under the proposed SRF, FIs and telcos will have to fulfill their respective anti-scam duties. Failure to do so may result in the FIs and telcos making payouts to scam victims for certain types of phishing scams.
In more detail
The proposed SRF is underpinned by three key policy objectives: (i) to retain confidence in digital payments and banking; (ii) to enhance the direct accountability of FIs and telcos to consumers regarding losses stemming from digital scams; and (iii) to highlight individuals’ responsibilities in combatting scams.
Types of scams covered
Not all scams are covered in the proposed SRF. At this juncture, the framework is intended to only apply to common scam typologies with a digital nexus, e.g., where scammers manage to perform unauthorized transactions because consumers were deceived into disclosing their details via phishing links.
Malware scams is a form of scam that falls outside the scope of SRF. The authorities believe that malware-enabled scams are relatively new and the corresponding risk-mitigating measures are still developing. Other scams that the SRF does not cover include scams where the victims authorize payments to the scammers, and where the scammers obtain the victims’ credentials via non-digital means like phone calls.
Duties of responsible FIs and telcos
Under the proposed SRF, FIs and telcos have to fulfill certain discrete anti-scam duties to aid consumers in responding to phishing scams.
The duties of responsible FIs include the following:
- Imposing a 12-hour cooling-off period upon activation of a digital security token. During the cooling-off period, certain “high-risk” activities like increasing transaction limits and adding new payees cannot be performed
- Providing real-time notification alerts for the activation of a digital security token and conduct of high-risk activities
- Providing real-time notification alerts for outgoing transaction
- Providing a 24/7 reporting channel and self-service feature to report and block unauthorized access to consumers’ accounts
The duties of responsible telcos include the following:
- Connecting only to authorized aggregators for delivery of Sender ID SMS to ensure that these SMS are from bona fide senders registered with the SMS Sender ID Registry regime
- Blocking Sender ID SMS from unauthorized aggregators to prevent the delivery of Sender ID SMS from unauthorized SMS networks
- Implementing an anti-scam filter over all SMS to block SMS with known phishing links
How to handle consumer claims
The SRF outlines a four-stage workflow for handling consumer claims for losses arising from scams:
- Claim stage — A responsible FI is the first point of contact with consumers and will assess whether the claim falls within the SRF.
- Investigation stage — If a responsible Telco is involved, the Telco will, along with the FI, conduct timely investigations into the consumer claims.
- Outcome stage — A responsible FI should inform and explain the outcome to the consumer.
- Recourse stage — If the consumer is not satisfied, it may pursue further action through avenues such as the Financial Industry Disputes Resolution Centre Ltd (FIDReC) or IMDA.
Interested parties are invited to submit their comments on the SRF here by 20 December 2023.
The full consultation paper on proposed SRF can be accessed here.
If you have any questions, please get in touch with your regular contact at Baker McKenzie.
© 2023 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.