The Monetary Authority of Singapore (MAS) has issued a set of guidelines aimed at protecting users of electronic payments from fraud, errors and security threats, as part of Singapore's cashless push.
The guidelines, to kick in by Jan 31 next year, cover both users of e-payments and financial institutions - banks, insurance providers, firms with stored value facilities and other intermediaries - that provide these electronic services.
Users are expected to provide updated contact information, monitor transaction notifications to spot suspicious activities early, and practise good security measures, according to the guidelines released yesterday.
Such security measures include installing the latest software updates and patches for their mobile phones and computers used in the transaction, and wherever possible, installing and maintaining the latest anti-virus software.
If unauthorised transactions are detected, users must report them as soon as possible, cooperate with the financial institutions promptly, and report the matter to the police if the institutions require police reports.
Financial institutions must investigate such claims quickly and provide a detailed investigation report within 21 days for straightforward cases, and 45 days for complex ones.
WHAT E-PAYMENT USERS AND FINANCIAL INSTITUTIONS MUST DO
Take basic precautions to protect themselves when using e-payments and report unauthorised transactions promptly. Users have to:
• Provide updated contact information
• Enable and monitor transaction notifications to spot suspicious activity
• Quickly report claims to the financial institution when there is an unauthorised transaction, and to the police if asked to do so
• Provide financial institutions with relevant information so they can check claims of unauthorised transactions
Banks and companies that operate stored value facilities such as e-wallets must comply with the guidelines, including:
• Notifying users about transactions via text or e-mail
• Providing a free channel for users to report unauthorised or erroneous transactions
• Probing every unauthorised transaction claim. Investigations to be done within 21 days for straightforward cases and 45 days for complex ones
• Providing a detailed investigation report to users that contains the probe outcome, and giving dispute resolution options if there are further disagreements
The guidelines spell out who bears the losses in unauthorised transactions, and the user may be held fully responsible if his behaviour was fraudulent or reckless. This includes using a "jail-broken phone", in which a mobile phone's firmware is altered without the manufacturer's approval.
But if the institution is at fault, it is liable for the full amount.
It will also have to bear full liability even if third parties caused the incident, for transactions up to $1,000.
All other situations, including losses above $1,000 and attributed to third-party fault, will be assessed on a case-by-case basis by the financial institution.
For transactions that are made in error, a user will need to inform the financial institution immediately, while the institution cannot debit the recipient's account without his consent. Simple cases will require the user's and recipient's financial institutions to make reasonable efforts to recover the erroneous sum within a one-week period.
However, scams are not considered unauthorised or erroneous transactions, as the user was deceived by a scammer unrelated to financial institutions or merchants.
The guidelines encourage the wider adoption of e-payments by setting standards on the responsibilities of both groups, said the MAS. They are part of an e-payment road map set out by MAS in 2016 to modernise regulations on cashless transactions. Earlier this year, MAS conducted a month-long public consultation with 21 respondents, including the Association of Banks in Singapore and law firm Linklaters Singapore, which represented the Singapore FinTech Association.