The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) have published a joint consultation paper proposing a shared responsibility framework (SRF) for phishing scams. The paper seeks comments on the scope of the SRF as well as duties of FIs and telcos under the framework and so on.
The SRF assigns financial institutions (FIs) and telecommunication companies (telcos) relevant duties to mitigate phishing scams. The framework will also require FIs and telcos to make payouts to affected scam victims where these duties are breached.
The framework builds on the work that was done by the Payments Council in 2022, where the council was working on a framework for sharing losses due to phishing scams. That framework covered only FIs.
This time, the SRF includes FIs who play a critical role as gatekeeper against the outflow of monies due to scams as well as telcos who are said to play a supporting role as infrastructure providers for SMS which is used by FIs as an official communication channel.
“Among scam types prevalent today, digitally-enabled scams that result in unauthorised transactions are of particular concern. As such transactions are performed without the customer’s knowledge or consent, they could undermine confidence in our digital banking and payments systems,” say the MAS and IMDA in a joint statement dated Oct 25.
According to MAS and IMDA, the SRF will focus on a defined scope of phishing scams where consumers are tricked into revealing their account credentials to scammers impersonating legitimate entities, leading to unauthorised transactions being performed.
See also: New Key Summary 123
“The proposed framework aims to strengthen the direct accountability of FIs and telcos to consumers. It sets out discrete and well-defined duties for FIs and telcos to mitigate the risk of consumers falling prey to phishing scams. Breaches of these duties, such as a failure to send outgoing transaction notification(s) to consumers in the case of FIs, and a failure to implement a scam filter in the case of telcos, would be the starting point for determining the party to be held responsible for losses under the framework,” say MAS and IMDA. “It therefore incentivises FIs and telcos to strictly uphold the desired standards of anti-scam controls.”
The decision to determine which party will bear the responsibility for the losses will be based on a “waterfall approach”. In this case, FIs are the first in line to bear the losses given that they hold greater responsibility as custodians of consumers’ money. Telcos stand second in line due to their secondary role in fostering security of digital payments by facilitating SMS delivery. If both FIs and telcos are deemed to have fulfilled their duties, the SRF will not require payouts to be made to consumers.
Consumers are therefore encouraged to exercise vigilance at all times.
See also: Resourse Library Event
At this point, the SRF will not cover malware-enabled scams (malware scams).
“Although malware scams also result in unauthorised transactions which could undermine confidence in digital banking, this type of scam is relatively new, and it is premature to set out specific malware scam-related duties at this stage given that these risk-mitigating measures are still developing,” say MAS and IMDA.
“The government is resolute in fighting malware scams and has been working closely with the industry to take upstream and downstream safeguard measures, together with extensive public education. The government will continue to monitor the evolving scam landscape in the future application of the SRF,” they add.
“MAS, the financial industry and other government agencies have been collaborating closely to combat scams. The SRF assigns shared responsibility by specifying upstream anti-scam duties FIs and telcos have to adhere. Breaches of the duties will result in payouts to affected scam victims. This incentivises vigilance by all parties in the ecosystem to uphold safety in e-payments. Alongside the proposed SRF, we are also proposing amendments to the E-payments User Protection Guidelines (EUPG), to uplift the standards of anti-scam measures across the financial system, and reinforce consumer’s responsibility to take precautions against scams,” says Ho Hern Shin, deputy managing director (financial supervision), MAS.
“IMDA has worked closely with the Telcos to implement a multi-layered approach to prevent scams from being conducted over calls and SMS. Measures such as the mandatory SMS Sender ID Registry introduced in January 2023 have significantly reduced the number of scam SMS cases by 70% in the three months since the Registry’s launch. The inclusion of telcos in the Shared Responsibility Framework as supporting infrastructure providers serves to strengthen the ecosystem against scams,” adds Aileen Chia, deputy chief executive (connectivity, development and regulation) at IMDA.
Singapore Telecommunications (Singtel) says it is "committed to protecting the security of all users as scams grow in sophistication and pervasiveness" adding that it proactively blocks scam calls and scam messages every month. It also raises scam awareness among members of the public including vulnerable seniors through its digital literacy programmes.
"We also work closely with IMDA to implement various measures including the SMS Protection registry and the +65 prefix to help consumers identify potential scam calls, and are continuing to explore new measures to counter this threat. We will carefully review the public consultation document and respond in due course," says a spokesperson from the telco.
Interest parties may submit their comments by Dec 20.