What you need to know about the future joint liability system in Singapore

The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) On December 16, 2024, it will introduce a shared responsibility framework (SRF) for phishing.

The SRF, which will be implemented through a set of SRF recommendations, aims to strengthen the direct liability of financial institutions (FIs) and telecommunications companies (Telecoms) for phishing losses.

The guidelines state that responsible parties will bear fraud losses for any failure to fulfill their duties, using a “cascade” approach to determining liability.

By holding these actors accountable, the SRF strengthens consumer protections and provides clear avenues for victims of phishing losses.

Entities and types of fraud covered by the Concept of Joint Liability

The SRF applies to all full-fledged banks, major payment service providers (PSPs) and telecommunications companies that play an important role in protecting consumers’ financial and communications activities.

The framework specifically targets phishing scams with a clear connection to Singapore, targeting scams where criminals impersonate local or international organizations serving Singaporeans.

While the SRF covers common phishing scams involving impersonation and unauthorized transactions, it does not include fraud involving authorized transactions, such as investment scams and romance scams.

In addition, MAS has eliminated phishing scams that are carried out using non-digital means, as they are addressed through public education and advice that emphasizes not giving out credentials or one-time passwords (OTPs).

The SRF liability provisions do not apply to transactions using credit cards, payment cards or debit cards issued in Singapore.

Responsibilities of financial organizations, service providers and telecommunications companies in the fight against fraud

Under the SRF, MAS and IMDA have established specific obligations for financial institutions, service providers and telecommunications companies aimed at directly combating phishing.

The final framework incorporates the originally proposed obligations and introduces a new fraud monitoring obligation for financial institutions in response to public feedback.

Duties of financial organizations and service providers

Financial organizations and service providers must implement several anti-fraud measures to prevent unauthorized access and detect phishing threats.

A 12-hour cooling-off period is required to activate digital security tokens and new e-wallet login devices, reducing the risk of unauthorized access.

Financial institutions and service providers should also send real-time alerts for high-risk activities such as new device logins, contact information changes, transaction limit increases and new recipients added, allowing consumers to quickly respond to suspicious activity.

In addition, both FIs and PSPs are required to provide a 24-hour self-service “switch,” accessible via phone or app, that allows consumers to block account access if unauthorized activity is suspected.

In response to feedback, MAS introduced a new fraud monitoring duty specifically for financial institutions.

This duty requires financial institutions to conduct real-time monitoring to detect unauthorized transactions related to phishing scams.

If an account is quickly depleted, financial institutions must either block the transaction until they confirm it with the customer or suspend the transaction for 24 hours.

Financial institutions have a six-month transition period to comply with this new obligation before it becomes effective under the SRF.

Duties of telecommunications companies

Telecom companies play a key role in securing the SMS channels used in digital banking. They must only connect to authorized SMS aggregators, block unauthorized SMS sources, and implement anti-fraud filters that use machine learning to detect and block malicious URLs in SMS messages.

Compliance will be assessed based on the ability of telecommunications companies to block SMS messages containing URLs flagged by the police as malicious.

Recognizing the limitations of SMS messaging, such as potential delivery issues due to network or device status, IMDA also recommends a multi-channel approach to notifications to improve security across all platforms.

Determination of compensation using a cascade approach

SRF uses a “waterfall” approach to apportion responsibility for losses from phishing scams.

This approach prioritizes financial institutions as the primary actors responsible for compensating victims of SRF violations.

If both the financial institutions and the telecommunications companies default, the financial institutions are the first to cover the losses, and the telecommunications companies are secondarily liable.

This framework establishes fair and clear compensation frameworks, balancing accountability between financial and telecommunications providers while encouraging vigilance in both sectors.

Four stages of investigating SRF claims

The SRF outlines a structured four-step process for streamlining claims for consumers affected by phishing scams, with refinements based on consultation feedback:

Claim stage:

To initiate an SRF claim, consumers must report the phishing scam to their financial services provider within three days, providing a valid email, a police report and, if available, digital records of communication (such as SMS, emails or WhatsApp).

Financial and telecommunications companies may request additional information, but consider victims’ limitations in providing comprehensive information.

Investigation stage:

Financial organizations conduct investigations in coordination with telecommunications companies when SMS fraud is involved.

Financial and telecommunications companies will conduct simultaneous and independent investigations with the aim of completing simple cases within 21 working days and more complex cases within 45 working days.

While financial institutions act as the primary point of contact, telecommunications companies can help with specific inquiries, ensuring cooperation and timely responses.

Result stage:

MAS and IMDA have established a single communication chain for SRF claims to ensure clarity and consistency in addressing public feedback for a streamlined process.

Stage of regression:

For cases outside the scope of the SRF or non-breach of duty, consumers can refer to the Financial Industry Dispute Resolution Center (FIDReC) or bring a civil action through the courts.

Inclusion of an electronic wallet in the structure

As of 15 December 2023, regulatory limits on “stocks” and “flows” are in place, allowing for the storage and transfer of larger amounts through e-wallets, MAS requires e-wallet providers that hold a major payment institution (MPI) license to participate in the OSR.

This inclusion confirms the increased risk of significant losses from e-wallets and requires robust consumer protection controls.

Major e-wallet providers should also join FIDReC, giving users access to mediation and dispute resolution services related to SRFs, similar to the protections available to bank account holders.

Ongoing anti-fraud measures

The SRF is part of a broader anti-fraud strategy in Singapore as MAS, IMDA and industry partners continue to strengthen defenses against phishing and other types of fraud.

In addition to the SRF, MAS and IMDA are working to strengthen digital security to protect consumers.

Ho Hern Shin, Deputy Managing Director (Financial Supervision), MAS, said:

“With the addition of the new fraud monitoring duty, some retail customers may experience more inconvenience when carrying out larger transactions. This additional friction is necessary to protect customers from large unauthorized transactions.

In addition to SRF, we are exploring stronger out-of-band authentication solutions, such as the use of Fast IDentity Online (FIDO) compliant tokens, to strengthen protection against unauthorized phishing transactions.”

A FIDO-compliant token is an authentication device that must be in close proximity to the user’s device during a transaction, adding another layer of protection against unauthorized access.

Eileen Chia, Deputy Director General (Connectivity, Development and Regulation) of IMDA said:

“IMDA has worked closely with telcos to secure the SMS channel, the official channel adopted by financial institutions for digital banking, by implementing measures such as a mandatory SMS sender ID registry and an anti-fraud filter.

These measures have led to the blocking of more than 20 million SMS messages since 2023. IMDA and the telcos will continue to play their part in strengthening the anti-fraud ecosystem.”

Featured Image: Edited Freepik