Search for:

In brief

On 24 October 2024, the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority of Singapore (IMDA) announced that the Shared Responsibility Framework (SRF) for phishing scams will be implemented on 16 December 2024 via a set of guidelines. Under the SRF, financial institutions (FIs) and telecommunication operators (telcos) are assigned duties to mitigate phishing scams. The MAS and IMDA expect responsible entities to bear any scam losses arising from failure to fulfil any of the relevant duties under the “waterfall” approach.

The MAS and IMDA published on 25 October 2023 a joint consultation paper on the SRF (“Consultation“), with the consultation period closing on 20 December 2023. Our earlier alert on the consultation can be accessed here. Our Local Principal Ying Yi Liew and Associate Joan Choo also wrote for the Singapore Law Gazette (September 2024 issue) an article on who bears the responsibility for tackling scams and which explores the SRF, recent regulatory changes, and their implications for financial institutions and tech platforms. Read the full article here.


Key implementation actions

Overall feedback on the SRF from the public was supportive. In response to the feedback received, the MAS will include an additional FI duty in the area of fraud surveillance, which is to require FIs to have in place real-time fraud surveillance to identify unauthorised transactions linked to phishing scam. If a customer’s account is being rapidly drained of a significant sum by scammers, FIs must either block the transaction until it is able to reach the customer for positive confirmation or send a notification to the customer and block or hold the transaction for 24 hours. For this new fraud surveillance duty, there will be an additional six-month transition period, as this was not part of the original FI duties. For the other duties, they will come into force on 16 December 2024, and compliance will be expected from then.

We recap the SRF duties of responsible FIs and responsible telcos below:

Duties of responsible FIs

  • FI Duty #1: Impose a 12-hour cooling-off period upon activation of a digital security token, during which “high-risk” activities cannot be performed. The equivalent duty applies in the context of accounts issued by relevant payment service providers when a new device is used to log in.
  • FI Duty #2: Provide notification alerts on a real-time basis for the activation of a digital security token to alert consumers to high-risk activity that may not have been authorised by the consumer. The equivalent duty applies in the context of accounts issued by relevant payment service providers when there is a login on a new device, or during the conduct of high-risk activities.
  • FI Duty #3: Provide outgoing transaction notification alerts on a real-time basis, which are essential in prompting consumers to react when there are unauthorised transactions (e.g., immediately reporting to the FI), and enables the FI to take timely remedial action.
  • FI Duty #4: Provide a 24/7 reporting channel and self-service feature (kill switch) to report and block unauthorised access to their accounts. FIs should also provide a kill switch that consumers can self-activate to immediately block their account and prevent further unauthorised transactions.
  • [New] FI Duty #5: Put in place real-time fraud surveillance directed at detecting unauthorised transactions in a phishing scam that results in an account being rapidly drained of a material sum to a scammer. In such scenarios, FIs must either block the transaction until it is able to reach the customer for positive confirmation, or send a notification to the customer and block or hold the transaction for 24 hours. The MAS will allow a six-month transition period for FIs to be comply with this fraud surveillance duty.

Duties of responsible telcos

  • Telco Duty #1: Connect only to authorised aggregators for delivery of Sender ID SMS to subscribers.
  • Telco Duty #2: Block Sender ID SMS that are not from authorised aggregators.
  • Telco Duty #3: Implement an anti-scam filter for all SMS that pass through its network, where the SMS will be scanned to determine if it contains any URL that matches that of a known malicious URL in a designated database.

Further information

For further details on the SRF, you may refer to the following:

  • MAS Media Release on Implementation of Shared Responsibility Framework (24 October 2024) (link)
  • MAS Response to Consultation Paper on Proposed Shared Responsibility Framework (24 October 2024) (link)
  • MAS Consultation Paper on Proposed Shared Responsibility Framework (25 October 2023) (link)

Our Financial Services Regulatory team recently provided insights on the SRF and broader regulatory considerations for FIs in tackling the growing scam crisis:

  • We shared our expert insights on Singapore’s enforcement response to the escalating scams crisis, at our Scams: Regulatory Expectations for FIs seminar on 17 September 2024. We discussed the latest legislative developments regarding scams as well as the critical steps FIs should take to implement the anti-scam measures under the MAS-ABS anti-scam initiatives, Guidelines for E-Payments User Protection and Guidelines on SRF, among others. See our LinkedIn post on the seminar here.

* * * * *

LOGO_Wong&Leow_Singapore

© 2024 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Author

Stephanie Magnus co-heads the Asia Pacific Financial Institutions Group and heads up the Financial Services Regulatory Practice Group in Singapore. Stephanie is ranked Band 1 for FinTech in Singapore by Chambers FinTech 2020. She is also ranked as a Leading Individual for Financial Services Regulatory: Local Firms in Singapore by Legal 500 Asia Pacific 2020. She is recognised as a leading lawyer for Banking & Finance: Regulatory in Singapore by Chambers Asia Pacific and Chambers Global 2020. Stephanie was quoted in Chambers Asia Pacific for her "timely, practical and business-oriented" advice, with a "deep understanding of the regulatory regime." She is also recognised as "very business-savvy and brilliant every time," and is admired for her "very strong grasp of the legal issues from both a technical and practical perspective."

Author

Eunice is a principal in the Financial Services Regulatory practice group of Baker McKenzie's Singapore office and a member of the Firm's Global Financial Services Regulatory Steering Committee. Eunice has extensive experience in regulatory, legal and compliance matters in the financial services and fintech sectors. Her clients include banks, investment managers, broker-dealers, payments companies and other financial institutions.
Eunice is consistently recognised as the Next Generation Partner for Financial Services Regulatory in Legal 500 Asia Pacific. Clients have described her as: “an exceptional lawyer with deep knowledge of financial services; "commercial and solutions-oriented and has an excellent relationship with the regulator which is of benefit to her clients"; "singled out for being smart and having the ability to navigate the Singapore regulatory landscape"; "is responsive, pleasant and willing to explore different parameters" and "is outstanding in that she always carefully and clearly explains the situation and background of the issue so that we can fully understand it, she always has a quick response and she has a deep understanding of the financial industry and our company."
Eunice is a frequent speaker at legal and financial industry seminars and forums. She also regularly assists clients in coordinating industry responses and participate in consultation with the Monetary Authority of Singapore on policy and legislative changes.

Author

Ying Yi is a Local Principal in the Financial Services Practice Group of Baker McKenzie Wong & Leow in Singapore. She focuses on regulatory and compliance issues in the financial services sector. She is ranked Next Generation Partner for Fintech and Financial Services Regulatory: Local Firms by Legal 500, Up and Coming for Banking and Finance: Regulatory in Singapore by Chambers Asia Pacific and Band 3 for Fintech Legal in Singapore by Chambers Fintech.
She is described as an "outstanding lawyer" who is "praised for being in touch with market developments and going the extra mile to understand client needs" by Legal 500 Asia Pacific. Chambers Asia Pacific cites her strengths as "responsive and genuinely cares about her clients and their business goals. She is very well connected and tuned into the latest regulatory developments, especially in the fintech, digital payments and blockchain space".