MAS issues e-payment guidelines to protect users from fraud and errors

The guidelines by the Monetary Authority of Singapore cover both users of e-payments and financial institutions that provide such electronic services.
The guidelines by the Monetary Authority of Singapore cover both users of e-payments and financial institutions that provide such electronic services.ST PHOTO: KUA CHEE SIONG

SINGAPORE - The Monetary Authority of Singapore (MAS) has issued a set of guidelines aimed at protecting users of electronic payments from fraud, errors and security threats, as part of Singapore's cashless push.

The guidelines, to kick in by Jan 31 next year, cover both users of e-payments and financial institutions - banks, insurance providers, firms with stored value facilities and other intermediaries - that provide these electronic services.

Users are expected to provide updated contact information, monitor transaction notifications to spot suspicious activities early, and practise good security measures, according to the guidelines released on Friday (Sept 28).

Such security measures include installing the latest software updates and patches for their mobile phones and computers used in the transaction, and wherever possible, installing and maintaining the latest anti-virus software.

If unauthorised transactions are detected, users must report them as soon as possible, cooperate with the financial institutions promptly, and report the matter to the police if the institutions require police reports.

Financial institutions must investigate such claims quickly and provide a detailed investigation report within 21 days for straightforward cases, and 45 for complex ones.

The guidelines spell out who bears the losses in unauthorised transactions, and the user may be held fully responsible if hisbehaviour were fraudulent or reckless. This includes usinga "jail broken phone", in which a mobile phone's firmware is altered without the manufacturer's approval.

 
 
 

But if the institution is at fault, it is liable for the full amount. It will also have to bear full liability even if third parties caused the incident, for transactions up to $1,000. All other situations, including losses above $1,000 and attributed to third-party fault, will be assessed on a case-by-case basis by the financial institution.

For transactions which are made in error, a user will also need to inform the financial institution immediately, while the institution cannot debit the recipient's account without his consent. Simple cases will require the user's and recipient's financial institutions to make reasonable efforts to recover the erroneous sum within a one-week period.

However, scams are not considered as unauthorised or erroneous transactions, as the user was deceived by a scammer unrelated to financial institutions or merchants.

The guidelines encourage the wider adoption of e-payments by setting standards on the responsibilities of both groups, said the MAS. They are part of e-payment road map set out by MAS in 2016 to modernise regulations on cashless transactions.

Earlier this year, MAS conducted a month-long public consultation with 21 respondents, including the Association of Banks in Singapore (ABS) and law firm Linklaters Singapore, which represented the Singapore FinTech Association.

The ABS had asked if the new rules could create situations in which liabilities of users and financial institutions are not commensurate with their responsibilities.

For example, it said fraudsters may engineer unauthorised transactions in which the end-user is still deemed to be innocent. The institutions could end up shouldering the blame in such cases.

ABS' existing Credit Card Code makes cardholders fully liable if they are involved in fraud or acted with gross negligence.

In response, MAS said it studied the feedback carefully and weighed the duties of financial institutions to protect users from losses they are not responsible for. It revised the guidelines to clarify that these institutions bear the loss if the unauthorised transaction is due to their action or omission.

Fintech firm TransferWise, which handles more than $1 billion in money transfers to and from Singapore each year, told The Straits Times that MAS is leading the way in Asia towards an "activity-based regulatory framework".

Its head of banking Lukas May said: "The way in which this regulation applies equally to all e-payment institutions - whether banks or stored value facility providers - is a sensible approach and helps build consumer trust in regulated non-banks."