In brief
On 24 October 2024, the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority of Singapore (IMDA) announced that the Shared Responsibility Framework (SRF) for phishing scams will be implemented on 16 December 2024 via a set of guidelines. Under the SRF, financial institutions (FIs) and telecommunication operators (telcos) are assigned duties to mitigate phishing scams. The MAS and IMDA expect responsible entities to bear any scam losses arising from failure to fulfil any of the relevant duties under the “waterfall” approach.
The MAS and IMDA published on 25 October 2023 a joint consultation paper on the SRF (“Consultation“), with the consultation period closing on 20 December 2023. Our earlier alert on the consultation can be accessed here. Our Local Principal Ying Yi Liew and Associate Joan Choo also wrote for the Singapore Law Gazette (September 2024 issue) an article on who bears the responsibility for tackling scams and which explores the SRF, recent regulatory changes, and their implications for financial institutions and tech platforms. Read the full article here.
Key implementation actions
Overall feedback on the SRF from the public was supportive. In response to the feedback received, the MAS will include an additional FI duty in the area of fraud surveillance, which is to require FIs to have in place real-time fraud surveillance to identify unauthorised transactions linked to phishing scam. If a customer’s account is being rapidly drained of a significant sum by scammers, FIs must either block the transaction until it is able to reach the customer for positive confirmation or send a notification to the customer and block or hold the transaction for 24 hours. For this new fraud surveillance duty, there will be an additional six-month transition period, as this was not part of the original FI duties. For the other duties, they will come into force on 16 December 2024, and compliance will be expected from then.
We recap the SRF duties of responsible FIs and responsible telcos below:
Duties of responsible FIs
- FI Duty #1: Impose a 12-hour cooling-off period upon activation of a digital security token, during which “high-risk” activities cannot be performed. The equivalent duty applies in the context of accounts issued by relevant payment service providers when a new device is used to log in.
- FI Duty #2: Provide notification alerts on a real-time basis for the activation of a digital security token to alert consumers to high-risk activity that may not have been authorised by the consumer. The equivalent duty applies in the context of accounts issued by relevant payment service providers when there is a login on a new device, or during the conduct of high-risk activities.
- FI Duty #3: Provide outgoing transaction notification alerts on a real-time basis, which are essential in prompting consumers to react when there are unauthorised transactions (e.g., immediately reporting to the FI), and enables the FI to take timely remedial action.
- FI Duty #4: Provide a 24/7 reporting channel and self-service feature (kill switch) to report and block unauthorised access to their accounts. FIs should also provide a kill switch that consumers can self-activate to immediately block their account and prevent further unauthorised transactions.
- [New] FI Duty #5: Put in place real-time fraud surveillance directed at detecting unauthorised transactions in a phishing scam that results in an account being rapidly drained of a material sum to a scammer. In such scenarios, FIs must either block the transaction until it is able to reach the customer for positive confirmation, or send a notification to the customer and block or hold the transaction for 24 hours. The MAS will allow a six-month transition period for FIs to be comply with this fraud surveillance duty.
Duties of responsible telcos
- Telco Duty #1: Connect only to authorised aggregators for delivery of Sender ID SMS to subscribers.
- Telco Duty #2: Block Sender ID SMS that are not from authorised aggregators.
- Telco Duty #3: Implement an anti-scam filter for all SMS that pass through its network, where the SMS will be scanned to determine if it contains any URL that matches that of a known malicious URL in a designated database.
Further information
For further details on the SRF, you may refer to the following:
- MAS Media Release on Implementation of Shared Responsibility Framework (24 October 2024) (link)
- MAS Response to Consultation Paper on Proposed Shared Responsibility Framework (24 October 2024) (link)
- MAS Consultation Paper on Proposed Shared Responsibility Framework (25 October 2023) (link)
Our Financial Services Regulatory team recently provided insights on the SRF and broader regulatory considerations for FIs in tackling the growing scam crisis:
- We shared our expert insights on Singapore’s enforcement response to the escalating scams crisis, at our Scams: Regulatory Expectations for FIs seminar on 17 September 2024. We discussed the latest legislative developments regarding scams as well as the critical steps FIs should take to implement the anti-scam measures under the MAS-ABS anti-scam initiatives, Guidelines for E-Payments User Protection and Guidelines on SRF, among others. See our LinkedIn post on the seminar here.
* * * * *
© 2024 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.