Wednesday, May 29, 2024
Homesingapore businessNegligent banks, telcos may be held responsible for scam victims’ losses as...

Negligent banks, telcos may be held responsible for scam victims’ losses as part of proposed measures

SINGAPORE: Financial institutions and telecommunication companies (telcos) in Singapore may have to compensate their customers who have fallen prey to scams if they are found to have breached their responsibilities.

These responsibilities prescribed under a proposed framework include failure by banks to send outgoing transaction alerts to consumers and telcos failing to implement a scam filter for SMSes. As a start, the framework will focus on phishing scams which account “for a sizeable proportion of unauthorised transactions” here.

These are among the proposals put forth by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) on Wednesday (Oct 25) in a long-awaited consultation paper on how losses arising from scams will be shared between companies and consumers.

The shared responsibility framework was first announced in February 2022 after close to 800 OCBC customers lost a combined S$13.7 million to scammers.

The MAS said then it would publish a draft framework for public consultation in the next three months. But the process has taken “longer than expected” due to the complexity of the issues involved, the financial regulator said in previous parliamentary replies.

In the consultation paper released on Wednesday, the authorities acknowledged that “responsibility for preventing scams should not lie solely with consumers but also with industry stakeholders”, such as the financial institutions and telcos.

Financial institutions play “a critical role as gatekeeper against the outflow of monies due to scams”, while telcos play “a supporting role” as infrastructure providers for SMS, they said.

These stakeholders are currently answerable to regulators if they fail to implement the necessary anti-scam measures. But there is “no framework for entities to be directly accountable to consumers who have suffered scam losses due to lapses by the said entities”, the paper said.

The shared responsibility framework will hence set the government’s expectation that these players “should bear responsibility for scam loss ahead of consumers” if they fail to meet prescribed anti-scam duties.

The inclusion of telcos under a loss-sharing framework makes Singapore the first to do so. “Currently, no known jurisdictions have included telecommunication operators or other infrastructure service providers in their scam reimbursement frameworks,” the paper said.

The proposed framework, targeted to be rolled out next year, also hopes to “provide a more expedient channel for consumer recourse”.

Determination of responsibility will be based on a “waterfall approach” where financial institutions, followed by telcos, are expected to bear the full loss if they fail to discharge their respective duties.

If both the financial institution and telco have carried out their duties, the consumer will have to bear the full loss.

“It is therefore critical for consumers to continue to exercise vigilance at all times and not click on any unsolicited, suspicious links,” MAS and IMDA said in a joint release.

Related:

Banks, telcos must step up anti-scam efforts or risk paying for losses in full: MAS, IMDA | Video

CNA Explains: What happens to scam proceeds and can victims get back their money?

WHAT SCAMS ARE INCLUDED

The proposed framework will focus on phishing scams with a “clear Singapore nexus” as a start, the consultation paper said.

Such scams are defined as victims being deceived into clicking on a phishing link and entering their credentials on a fraudulent digital platform. They should also involve Singapore-based impersonated entities, or entities based overseas that offer their services to Singapore residents.

One example is when a scammer pretends to be from a legitimate entity, such as SingPost or DHL, and sends out spoofed SMSes or emails with a link to a fake website. Claiming that there are account-related issues, the intent is to trick victims into entering their account details on the fraudulent platform.

What will not fall under the framework include instances where payments to scammers are authorised by the victims such as investment or love scams, as well as cases where consumers were deceived into giving away their credentials directly to the scammers via text messages and non-digital means.    Malware scams, which have seen a spike in recent months, are also not included for now.

Authorities said the proposed framework is “intended to apply to common and known scam typologies for which duties of respective stakeholders are more well-defined”.

With malware scams being relatively new and risk-mitigation measures still being rolled out, it will be “premature” to set out specific responsibilities for the different stakeholders, MAS and IMDA said.

For example, major retail banks here have rolled out new anti-malware security updates and are also looking to introduce a “money lock” feature to protect their customers.

Related:

CNA Explains: Are Android devices more prone to malware and how do you protect yourself from scams?

Commentary: Singapore banks’ latest anti-scam measures may be inconvenient, but would you rather lose your life savings?

WHAT ARE THE DUTIES OF BANKS AND TELCOS?

The framework sets out “discrete and well-defined” anti-scam duties for financial institutions and telcos. 

Failure to fulfil any of the duties will render these companies responsible for compensation to their customers. Such a move will incentivise financial institutions and telcos to “strictly uphold” the desired standards of anti-scam controls, authorities said.

Here are the duties of financial institutions (full banks and relevant payment service providers):

Impose a 12-hour cooling-off period upon activation of digital token; during which, high-risk activities cannot be carried outSend notification alerts on a real-time basis for activation of digital token and conduct of high-risk activitiesProvide outgoing transaction notifications on a real-time basisProvide a 24/7 reporting channel and a self-service feature for consumers to promptly block online payment transfers from their accounts

Here are the duties of telcos: 

Connect only to authorised aggregators for delivery of Sender ID SMS to ensure that these SMS originate from bona fide senders registered with the SMS Sender ID Registry regimeBlock Sender ID SMS from unauthorised aggregators to prevent delivery of Sender ID SMS originating from unauthorised SMS networksImplement an anti-scam filter over all SMS to block SMS with known phishing links

That said, authorities stressed that a “discerning and vigilant public” remains the first line of defence against scams.

“Individuals have a responsibility to mitigate the occurrence of scams by practising proper cyber hygiene and not giving away their credentials to a third party under any circumstance,” they said.

Anti-scam measures rolled out by telcos

IMDA has partnered telcos to take on a “multi-layered approach” to disrupt scam operations across various communications channels. 

One such safeguard is the anti-scam filters. Since October 2022, IMDA has required telcos to implement anti-scam filtering solutions at the network level.

These anti-scam filtering solutions filter scam SMS messages through the detection of known malicious URLs, and suspicious patterns, such as keywords, phrases and message formats that are typically used in scam SMS.

There is also the SMS Sender ID Registry Regime (SSIR) which requires all organisations that send SMSes using alphanumeric sender IDs – SMS labels with letters or numbers typically sent through applications – to be registered.

Starting Jan 31, phone messages from organisations that have not enrolled in the central SMS registry will be labelled “likely scam”.

There has been “strong support” for the SSIR, with more than 3,600 merchants onboard the SSIR as of June this year. These merchants – which include financial institutions, e-commerce operators, logistics providers – account for over 96 per cent of Sender ID SMS organisations.

Together, these measures have significantly reduced the number of scam SMS cases by 70 per cent in the three months since the registry’s launch in January, said IMDA’s deputy chief executive of connectivity, development and regulation Aileen Chia.

Collapse Expand

Related:

Telcos, banks all aboard as public, private sectors work together to tackle rising scam cases

HOW WILL COMPENSATION BE DETERMINED?

A “waterfall” approach will be taken to assess who bears the losses arising from an unauthorised transaction in a phishing scam covered under the proposed framework. 

First in line are the financial institutions given their primary accountability to consumers as custodians of their money. A breach of any of its duties will render the financial institution liable for full compensation. 

Next in line are the telcos, given their “secondary and supporting role” as infrastructure provider for the delivery of SMS. In the event that a financial institution is deemed to have fulfilled its duties but the telco has failed, the latter will be expected to bear the full losses incurred.

If both the financial institutions and telcos have carried out their duties, the consumer will have to bear the full losses.

Authorities said the “waterfall” approach is intended as a “practical means for more straight-forward assessment of how responsibility will be shared for covered phishing scams”. 

More importantly, it “incentivises all parties to stay vigilant and perform their roles to uphold the safety of e-payments”, it said in the consultation paper.

The paper sets out a four-stage workflow to handle consumer claims:

Claim stage: Victims should make a police report and file a claim with their financial institution. The financial institution – being the “first and overall point of contact” – will assess if the claim falls within the framework and inform a responsible telco where applicable, such as when the scam was perpetrated through SMS.Investigation stage: Financial institutions, and telcos if applicable, should conduct the investigation in a “fair and timely manner”. These investigations should be completed within 21 business days for straightforward cases, or 45 business days for complex cases.Outcome stage: The financial institution will inform and explain the outcome to the consumer once investigations are completed. This will include the quantum of payouts, if any.Recourse stage: If a customer does not agree with the investigation outcome, he or she may pursue further action through avenues of recourse such as the Financial Industry Disputes Resolution Centre.

How the proposed shared responsibility framework works

1. When a financial institution is responsible

A case study provided in the consultation paper lays out the scenario of how a consumer had clicked on a phishing email and entered his account credentials on a fake website mimicking a financial institution.

The scammer subsequently used the account credentials and OTPs provided to take over the consumer’s account without his knowledge and set up a digital token.

Due to a system error, the financial institution did not impose a 12-hour cooling-off period during which high-risk activities could not be performed. As a result, the scammer was able to increase the consumer’s online transaction limit from S$5,000 to S$10,000 – a high-risk activity – within the 12 hours following the new digital token’s activation.

The consumer had seen the notification alerts informing him of the activation of a new digital token and the increase in transaction limit, but did not act on either of these alerts. The scammer then proceeded to make multiple transactions of S$10,000 each out of the consumer’s account.

In this case, the financial institution bears the full losses given how it had failed its duty to provide a 12-hour cooling off period. This is despite the consumer having failed to take due diligence by clicking on a phishing link and choosing to ignore the notification alerts that were sent to him.

2. When a telco is responsible

In another case study provided, a consumer had received an SMS with the Sender ID “DBS Bank” asking him to reset his digibank password via a link.

This SMS was in fact a scam message sent by an overseas entity posing as DBS. The telco did not block this SMS.

Upon receiving the SMS, the consumer keyed in his account details on the fradulent website. After which, his account credentials, including OTPs, were used to initiate five FAST transactions amounting to S$10,000 to another local account. 

SMS transaction notifications were sent by the financial institutions for all the transactions. This means that there were no lapses by the financial institution, but the telco had failed in its duty to block the unverified SMS. In this case, the telco will bear all of the losses.

3. When a consumer is responsible

In this case, a scammer posing as a financial institution had sent a consumer a phishing email containing details of an attractive product. 

The consumer clicked on the link, and entered his account credentials and OTPs on a fake website to purchase the product. 

The account credentials, including OTPs, were later used by the scammer to initiate three FAST transactions of S$1,000, S$2,000 and S$3,000 respectively, to another local account. 

Transaction notifications were only sent for the FAST transactions of S$2,000 and S$3,000, as the consumer had previously adjusted his transaction notification threshold to S$1,500. In this case, the financial institution is not liable for failing to send out a notification alert for the S$1,000 transaction.

Telcos will not be involved in this assessment of losses because the link leading to the spoofed website was sent to the consumer via email and not SMS.

For this, the consumer bears 100 per cent of the loss.

Collapse Expand

Related:

More than S$330 million lost to scammers in first half of 2023; cases continue to rise

WHAT HAPPENS NEXT?

Apart from strengthening the “direct accountability” of financial institutions and telcos to their consumers, the proposed framework seeks to preserve confidence in digital payments and digital banking in Singapore, MAS and IMDA said.

Interested parties have until Dec 20, 2023 to submit their comments on the proposed framework. 

“The government will carefully take into account these comments when finalising the framework,” authorities said, adding that they intend to roll out the framework next year.

The authorities also stressed that this is a “starting point” for determining the sharing of losses for scams and that they will continue to monitor developments.

“The current development of the (framework) around the more established phishing scam typology, as well as the ‘waterfall’ approach to assessing payouts for scam losses, represents a starting point for the framework where two groups of key ecosystem players – financial institutions and telcos – are held accountable,” they said in the consultation paper.

“The government intends to review and update this framework (for example, coverage of scam types, participating players, duties of stakeholders, payout conditions), taking into account the practices and ongoing developments in other jurisdictions.”

The Association of Banks in Singapore expressed its support for the proposed framework, calling it “a good first step in setting the baseline for shared responsibility across the digital ecosystem in preventing scams”. 

“To bolster our fight against scams and fraud, we believe that it is necessary for us to galvanise collective action, which includes other members of the digital ecosystem such as tech companies and e-commerce platforms,” said the association’s director Ong-Ang Ai Boon.

When contacted, StarHub said the proposed framework “provides guidance to customers and serves as a timely reminder to always remain vigilant”. Singtel and M1 said they are reviewing the consultation paper and will share their views with the authorities in due course.

RELATED ARTICLES
- Advertisment -

Most Popular