FINANCIAL institutions (FIs) will now be required to implement real-time fraud surveillance on unauthorised transactions from phishing scams, under the shared responsibility framework (SRF).
This in response to feedback received on a consultation paper on the framework, said the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority of Singapore (IMDA) on Thursday (Oct 24).
The framework – which assigns duties to FIs and telecommunication companies to mitigate phishing scams, and sets expectations of payouts to affected scam victims – will be implemented on Dec 16, 2024.
MAS and IMDA said they will adopt a key area of feedback, and introduce an additional duty on FIs that requires real-time fraud surveillance directed at detecting unauthorised transactions in a phishing scam that result in account draining.
This means that if a customer’s account is being rapidly drained of a material sum to scammers, FIs must either block the transaction until it is able to reach the customer for positive confirmation, or send a notification to the customer and block or hold the transaction for 24 hours. An account is considered to be rapidly drained if more than half of a balance of at least $50,000 is transferred out cumulatively over a day.
Originally under the SRF, FIs were required to impose a 12-hour cooling-off period upon activating a digital security token, and provide real-time notification alerts when activating digital security tokens and conducting high-risk activities.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
They should also provide real-time outgoing transaction notification alerts, and have a 24/7 reporting channel and kill switches for customers to report and block unauthorised access to their accounts.
As the fraud surveillance was not within the four FI duties originally consulted on, MAS will allow a six-month transition period from the date of the SRF’s implementation for FIs to be held to the duty.
Ho Hern Shin, deputy managing director for financial supervision at MAS, noted that the additional fraud surveillance duty may result in more inconvenience for some retail consumers when conducting large value transactions.
“This additional friction is necessary to protect customers against large unauthorised transactions,” she said.
Ho added that MAS is also studying stronger, out-of-band authentication solutions beyond the SRF, to enhance defences against unauthorised phishing transactions.
Apart from the new FI duty, MAS and IMDA noted that respondents are hoping for more scam variants to be covered under the SRF, beyond phishing scams – such as malware-enabled scams or any type of fraudulent payments that relate to impersonation.
But the authorities said they will keep the scope of the SRF focused on a defined range of phishing scams, where the corresponding duties for FIs and telcos can be clearly set out.
Nevertheless, they will continue to work with FIs and ecosystem players to mitigate the risk of other types of scams such as malware-enabled scams, including holding ecosystem players accountable where necessary.
Meanwhile, the SRF will also continue to focus on FIs and telcos as these entities bear responsibility to implement measures that safeguard consumers from the risks of phishing scams.
This was in response to feedback for more entities in the communications layer, such as messaging platforms and social media services, to be included in the SRF.
Overall, respondents welcomed the SRF and supported the efforts to better protect consumers, MAS and IMDA said.
MAS and IMDA had received 72 responses from members of the public and representatives of businesses from the financial and telecommunication sectors, in the consultation period between Oct 25 and Dec 20, 2023.
The SRF will operate as part of the broader suite of upstream and downstream measures that government, FIs, telcos, and other ecosystem players have progressively implemented to tackle scams in Singapore, the authorities said.
In response to the framework, The Association of Banks in Singapore (ABS) director Ong-Ang Ai Boon said the ABS and its member banks welcome the SRF, and are committed to upholding the principles of the framework and supporting victims of scams.
She said: “Consumers can expect some friction in the customer journey… We seek customers’ understanding, as the industry continues to enhance and adapt its fraud surveillance over time to uphold banking security without overly compromising on a seamless banking experience.”
Meanwhile, Singapore’s major mobile network operators said they have already implemented the telco duties.
In a joint statement, M1, Singtel, StarHub and Simba said: “We remain committed to collaborating closely with the authorities to implement effective countermeasures against new and evolving scam tactics for the protection of our customers.”
