Introduction
Phishing scams are a growing threat to consumers and businesses in Singapore as more transactions move online. As part of a broader push to tackle online harms and scams this year (see our previous alert), the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) have jointly developed the Shared Responsibility Framework (SRF) to enhance the accountability and protection of financial institutions (FIs) and telecommunication operators (Telcos) in mitigating phishing scams. The SRF was published for public consultation in October 2023 and will take effect from 16 December 2024.
SRF scope and duties
The SRF applies to FIs, including all full banks and relevant payment service providers (PSPs) that issue e-wallets, and Telcos that are mobile network operators. The SRF covers phishing scams where scammers impersonate a legitimate business or government entity, based in Singapore or overseas and offering services to Singapore residents, and where victims reveal their account credentials on a fake digital platform, such as a website or an application, leading to unauthorised transactions. The SRF does not cover other types of scams, such as malware scams, authorised transactions or phishing via non-digital means.
FIs and Telcos have the following duties under the SRF:
- FIs must impose a 12-hour cooling-off period upon activation of a digital security token or login on a new device, during which high-risk activities cannot be performed.
- FIs must provide real-time notification alerts for the activation of a digital security token or login on a new device, as well as for high-risk activities and outgoing transactions.
- FIs must provide a 24/7 reporting channel and self-service feature (“kill switch”) to report and block unauthorised access to their accounts.
- FIs must have in place real-time fraud surveillance to detect unauthorised transactions in a phishing scam that rapidly drain an account of a material sum to a scammer. An account is considered rapidly drained of a material sum if it had a balance of SGD 50,000 or more immediately prior to the unauthorised transaction, and if more than half of that balance was transferred out within 24 hours. This duty was introduced after the public consultation, and FIs will have a six-month transition period to comply.
- Telcos must connect only to authorised aggregators for the delivery of any sender ID SMS, block any sender ID SMS messages that are not from authorised aggregators, and implement an anti-scam filter to block SMS messages containing malicious links.
Waterfall approach and operational workflows
The SRF adopts a “waterfall” approach for sharing responsibility for scam losses arising from covered phishing scams. The FI will be required to bear the full scam losses if it has breached any of its duties. If the FI has not breached any of its duties, the Telco will be held liable if it has breached any of its own duties. The consumer will bear the losses if neither the FI nor the Telco has breached any of their duties.
The SRF also sets out a four-stage operational workflow for handling claims, namely:
1) the claim stage, 2) the investigation stage, 3) the outcome stage, and 4) the recourse stage. The FI will be the primary touchpoint with the consumer, and will coordinate with the Telco where relevant. The FI and the Telco will have to complete their investigations within 21 business days for straightforward cases or 45 business days for complex cases. If the consumer is dissatisfied with the outcome, they may seek recourse via channels such as the Financial Industry Disputes Resolution Centre or the courts.
Conclusion
The SRF strikes a balance between ensuring the direct accountability of FIs and Telcos to consumers and upholding the principle of consumer vigilance in protecting themselves against scams. FIs and Telcos should familiarise themselves with the SRF duties and ensure that they have in place the necessary processes to comply. Although some FIs have implemented measures like kill switches, FIs must note the new duty of fraud surveillance and ensure that their systems can perform the required level of monitoring.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2024-222