The Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) will implement the Shared Responsibility Framework (SRF) for phishing scams on 16 December 2024.
The SRF, to be implemented via a set of SRF Guidelines, aims to strengthen the direct accountability of financial institutions (FIs) and telecommunications companies (telcos) for phishing scam losses.
The guidelines specify that responsible entities will bear scam-related losses arising from any failure to fulfill their designated duties, using a “waterfall” approach to determine liability.
By holding these entities accountable, the SRF enhances consumer protection and provides clear avenues for victim recourse in cases of phishing-related losses.
Entities and Types of Scams Covered Under the Shared Responsibility Framework
The SRF applies to all full banks, major payment service providers (PSPs), and telcos with major roles in safeguarding consumers’ financial and communication activities.
The framework specifically addresses phishing scams with a clear connection to Singapore, targeting scams where perpetrators impersonate local or international entities serving Singapore residents.
While the SRF covers common phishing scams involving impersonation and unauthorized transactions, it does not include scams involving authorized transactions, such as investment scams and love scams.
Additionally, MAS has excluded phishing scams conducted through non-digital means, as these are addressed through public education and advisories that stress not sharing credentials or one-time passwords (OTPs).
The SRF’s liability provisions do not extend to transactions involving credit cards, charge cards, or debit cards issued in Singapore.
Responsibilities of FIs, PSPs, and Telcos in Combating Scams
Under the SRF, MAS and IMDA have established specific duties for FIs, PSPs, and telcos, designed to directly combat phishing scams.
The final framework includes the originally proposed duties and introduces a new fraud surveillance duty for FIs in response to public feedback.
Duties of FIs and PSPs
FIs and PSPs must implement several anti-scam measures to prevent unauthorized access and detect phishing threats.
A 12-hour cooling-off period is required for the activation of digital security tokens and new device logins to e-wallets, reducing the risk of unauthorized access.
FIs and PSPs must also send real-time alerts for high-risk actions, such as new device logins, contact detail changes, transaction limit increases, and the addition of new payees, allowing consumers to respond swiftly to suspicious activity.
Additionally, both FIs and PSPs are mandated to provide a 24/7 self-service “kill switch,” accessible by phone or app, enabling consumers to block account access if unauthorized activity is suspected.
In response to feedback, MAS has introduced a new fraud surveillance duty specifically for FIs.
This duty requires FIs to conduct real-time monitoring to detect unauthorized transactions linked to phishing scams.
If an account is rapidly drained, FIs are expected to either block the transaction until they confirm with the customer or place a 24-hour hold on the transaction.
FIs have a six-month transition period to comply with this new duty before it becomes enforceable under the SRF.
Telcos’ Duties
Telcos play a key role in securing SMS channels used in digital banking. They are required to connect only with authorized SMS aggregators, block unauthorized SMS sources, and implement anti-scam filters that use machine learning to detect and block malicious URLs in SMS messages.
Compliance will be assessed based on telcos’ ability to block SMS messages containing URLs flagged by the police as malicious.
Recognizing the limitations of SMS—such as potential delivery issues due to network or device conditions—IMDA also recommends a multi-channel notification approach to enhance security across platforms.
Determining Compensation With the Waterfall Approach
The SRF employs a “waterfall” approach to assign responsibility for losses from phishing scams.
This approach prioritizes FIs as the primary entities responsible for compensating victims when SRF duties are breached.
If both FIs and telcos fail in their responsibilities, FIs are first in line to cover losses, with telcos bearing secondary responsibility.
This structure establishes a fair and clear framework for compensation, balancing accountability between financial and telecommunications providers while encouraging vigilance across both sectors.
Four Stages of SRF Claim Investigations
The SRF outlines a structured, four-stage process to streamline claims for consumers impacted by phishing scams, with refinements based on consultation feedback:
Claim Stage:
To initiate an SRF claim, consumers must report the phishing scam to their FI within three days, providing a valid email, a police report, and, if available, digital communication records (such as SMS, emails, or WhatsApp).
FIs and telcos may request further details but will accommodate victims’ limitations in providing comprehensive information.
Investigation Stage:
FIs lead the investigation, coordinating with telcos if SMS-based scams are involved.
Both FIs and telcos will conduct concurrent and independent investigations, with a target of completing straightforward cases within 21 business days and more complex cases within 45 business days.
While FIs act as the main contact, telcos may assist with specific queries, ensuring collaboration and timely responses.
Outcome Stage:
MAS and IMDA have mandated a single communication chain for SRF claims to ensure clarity and consistency, addressing public feedback for a streamlined process.
Recourse Stage:
For cases outside the SRF scope or without duty breaches, consumers can pursue mediation with the Financial Industry Disputes Resolution Centre (FIDReC) or seek civil action through the courts.
E-wallet Inclusion in the Framework
With the raised regulatory “stock” and “flow” caps as of 15 December 2023, allowing larger amounts to be held in and transferred through e-wallets, MAS requires e-wallet providers holding a major payment institution (MPI) license to participate in the SRF.
This inclusion acknowledges the increased risk of significant losses from e-wallets and mandates robust consumer protection controls.
Major e-wallet providers are also required to join FIDReC, giving users access to mediation and adjudication services for SRF-related disputes, similar to protections available to bank account holders.
Ongoing Anti-Scam Efforts
The SRF is part of a broader, evolving strategy against scams in Singapore, as MAS, IMDA, and industry partners continue to strengthen defenses against phishing and other scam types.
In addition to the SRF, MAS and IMDA have been working on strengthening digital security to protect consumers.
Ho Hern Shin, Deputy Managing Director (Financial Supervision), MAS, said,
“With the addition of a new fraud surveillance duty, some retail customers may experience more inconvenience when conducting larger value transactions. This additional friction is necessary to protect customers against large unauthorised transactions.
Beyond the SRF, we are studying stronger, out-of-band authentication solutions, such as the use of Fast IDentity Online (FIDO)-compliant tokens, to enhance defences against unauthorised phishing transactions.”
A FIDO-compliant token is an authentication device that must be in close proximity to the user’s device when conducting a transaction, adding another layer of protection against unauthorized access.
Aileen Chia, Deputy Chief Executive (Connectivity, Development & Regulation), IMDA, said,
“IMDA has worked closely with the telcos to secure the SMS channel, an official channel adopted by FIs for digital banking, through the implementation of measures such as the mandatory SMS Sender ID Registry and anti-scam filter.
These measures resulted in over 20 million SMSes being blocked since 2023. IMDA and telcos will continue to play our part in strengthening the ecosystem against scams.”
Featured image credit: Edited from Freepik