MAS to publish framework on sharing liability for scam losses in next 3 months

MAS will be seeking public feedback on this framework for bearing losses to scams. PHOTO: ST FILE

SINGAPORE - All parties – banks and customers alike – should shoulder the responsibility for fighting scams, the Monetary Authority of Singapore (MAS) asserted on Friday (Feb 4). 

It said that OCBC’s recent $13.7 million payout to its customers who had been scammed were a one-off gesture, considering the circumstances, such as how the bank had not met its own expectations of customer service and response.

“They do not set a general precedent for future cases,” the financial sector regulator added.

MAS said it would seek public feedback on a framework that would spell out how losses from scams are to be shared between consumers and financial institutions, including responsibilities of other key parties involved.

This may be revealed within the next three months, it said.

OCBC recently made goodwill payments to fully refund 790 OCBC Bank customers who were victims of a phishing scam where fraudsters spoofed the bank’s name in SMSes. 

Some customers claimed that it took so long to get through to a person via OCBC’s hotline that, by the time it was able to take action, the scammers had siphoned much of their funds.

MAS is leading a task force, called the Payments Council, to review practices that the financial industry can put in place to better protect consumers.

It was mentioned last July that this included a review on how to apportion the liability of a fraudulent online transaction.

Under the liability framework, MAS said on Friday that “all parties have responsibilities to be vigilant and to take precautions against scams”.

For example, financial institutions must have measures to safeguard customer accounts, and detect and respond to suspicious transactions.

Customers have to take precautions, such as never giving away personal or banking credentials to anyone. They should never click on links in SMSes or e-mails that seemingly come from a bank, and should transact only through the bank’s official website or mobile app.

The proportion of losses each party bears “will depend on whether and how the party has fallen short of its responsibilities”, said the authority.

MAS will be seeking public feedback on this framework, which also covers “the responsibilities of other key parties in the ecosystem”.

Currently, victims misled into giving out their banking details in phishing scams are often held responsible for the funds lost, especially if the bank’s information technology system has not been compromised, lawyers said.

But banks may have to bear scam losses in cases where they failed to take reasonable care while the customers took steps to protect their interests, said lawyer Steven Lam, a director at Templars Law. 

This includes instances where banks failed to adopt proper safety and due diligence protocols, or internationally recognised good practices.

As for other key parties who may be covered by the framework, lawyer Bryan Tan, a partner at Pinsent Masons MPillay, said that one issue is whether MAS can regulate them.

Cyber security experts have said that telcos have a role to play in fighting SMS scams. But it is unclear if they are being considered in MAS’ framework.

Mr Tan said the issue of other parties’ liability is tricky. 

“While SMS is a relatively inexpensive service, it could lead to large consequential losses far in excess of their service value,” he said. 

This could make insuring SMS services more costly.

Earlier on Jan 19, MAS and the Association of Banks in Singapore (ABS) announced a slew of measures that banks here must put in place in two weeks to boost the security of digital banking following the scams targeting OCBC customers.

These include removing clickable links in e-mails or SMSes sent to retail customers, and delaying the activation of a new soft token used to verify transactions on a mobile device by at least 12 hours.

MAS said on Friday that banks in Singapore “have substantially implemented the additional measures”.

“The measures, taken together, provide a significant added layer of security to protect customers’ funds,” it added.

The regulator urged consumers to be more vigilant and follow practices such as verifying SMSes or e-mails received by calling the bank directly via the hotline listed on its official website.

Consumers should also update their devices with the latest security patches and anti-virus software.

To improve the chances of getting back lost funds, consumers should closely monitor transaction notifications they get from the bank, so that any unauthorised payments are reported as soon as possible.

Join ST's Telegram channel and get the latest breaking news delivered to you.