At a glance: Duties of telcos and banks under Singapore’s scam liability framework
Sign up now: Get ST's newsletters delivered to your inbox
Banks and telcos may have to foot the bill for scam losses if they fail to fulfil the duties outlined by MAS and IMDA.
ST PHOTO: BRIAN TEO
Follow topic:
SINGAPORE – A new framework will be launched on Dec 16 to establish who pays the bill for phishing scam losses.
First in line to be examined are banks, such as DBS Bank, UOB, OCBC Bank and Citibank, and payment services providers that offer e-wallets, such as Grab, YouTrip and Revolut, under the finalised Shared Responsibility Framework that was unveiled on Oct 24
Next will be the four telcos – Singtel, StarHub, M1 and Simba Telecom.
Victims will have to bear the cost of a scam as long as the duties outlined by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) for financial institutions and telcos are fulfilled.
Here are the duties for financial institutions and telcos that will come into force on Dec 16.
Duties of financial institutions
1. Implement 12-hour cooling period
Financial institutions and banks are required to implement a 12-hour cooling period when a digital security token is activated – such as when a user sets up an account on a new device.
During this time, no high-risk activities can be performed, such as adding new payees or carrying out high-value transactions, to give customers more time to spot potential unusual activities on their accounts. The 12-hour cooling-off period will also apply to logins to an e-wallet such as Grab on a new device.
2. Alert users to high-risk activities
Users should be immediately notified whenever a digital security token linked to their accounts is activated, and in the event of any high-risk activities like high-value transactions.
MAS and IMDA said: “Collectively, the 12-hour cooling-off period and the notification alerts give consumers some time to react and take preventive action if the activation request was not intended by the consumer.”
3. Notify users of outgoing transactions
Banks and financial institutions must alert customers to outgoing transactions through real-time notifications. This is essential so customers can promptly report potential scams, said the regulators.
4. Provide a 24-hour reporting channel and ‘kill’ switch
Users should always have access to a reporting channel, allowing them to reach the financial institution to block scammers from making any fraudulent transactions on their accounts.
Customers should also have access to a “kill” switch that allows them to freeze their accounts and prevent further unauthorised transactions.
The emergency feature was introduced in 2022 following a spate of phishing scams targeting OCBC customers, who lost a total of about $13.7 million.
5. Set up real-time fraud surveillance
Financial institutions will be required to set up real-time fraud surveillance systems that block unauthorised transactions, following feedback from the industry in a public consultation on the framework that took place in late 2023.
Banks must be able to detect when a large sum of money – defined as a transaction involving above half of a balance in an account of at least $50,000 – is being transferred from an account, and either block the suspicious transaction until it is able to get the customer’s confirmation, or hold the transaction for at least 24 hours, said IMDA and MAS.
Failure to do so makes the bank liable to pay the victim in full.
Duties of telcos
1. Flag unauthorised aggregators
Customers should receive text messages that display the name of the sender only if they come from authorised senders that are registered with IMDA’s SMS Sender ID Registry.
Companies frequently send bulk text messages through aggregators, which act on behalf of a business that wants to send SMSes.
Texts received by users from unauthorised sources will be flagged as “likely scam”.
2. Block unauthorised sender IDs
Telcos are required to block messages from all unauthorised aggregators to prevent their customers from receiving sender ID SMSes from external channels, including unknown networks.
3. Implement anti-scam filters
Telcos are expected to set up anti-scam filters for all SMS messages that pass through their networks. The filters are designed to scan for messages containing URLs that match a database of malicious links that have been flagged.
The regulators said: “The purpose of this duty is to further mitigate against the risks of scam SMS that may pass through mobile networks in Singapore.”
