The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority of Singapore (IMDA) have just announced a consultation for the Shared Responsibility Framework for Phishing Scams. According to MAS and IMDA, “this consultation sets out a proposed Shared Responsibility Framework (SFR) for sharing responsibility for scam losses amongst financial institutions (FIs), telecommunication operators (Telcos) and consumers for unauthorized transactions arising from phishing scams”. MAS and IMDA are looking for industry response to the consultation by December 31, 2023.
The scope of the fraud cases covered is as follows:
- Where a consumer is deceived into clicking on a phishing link and entering his credentials on a fake digital platform, thereby unknowingly revealing these credentials to the scammer.
- Such phishing scams should also have a clear Singapore nexus. The impersonated entities should be Singapore based or based overseas and offer their services to Singapore residents.
Excluded from this proposal are:
- Scams where victims authorize payments to the scammer, e.g., payments arising from investment scams or love scams (authorized scams) which victims intended to be performed at the point of transaction.
- Scams where a consumer was deceived into giving away his credentials to the scammer directly via text messages, and non-digital means (i.e., phone calls or face-to-face).
- Unauthorized transaction scam variants that do not involve phishing (e.g., hacking, identity theft, malware-enabled variants). This refers to a fake digital platform that resembles the legitimate digital platform operated by an FI or other impersonated entity, or any party related to the FI or impersonated entity.
For scams not covered by this proposal, the consultation says: “For scams that are not in scope, existing avenues of recourse remain open to consumers, including requesting their FIs to assess their case for goodwill payments, or filing a dispute with the Financial Industry Disputes Resolution Centre Ltd (FIDReC).”
In the MAS/IMDA document, the consultation provides very clear examples (with detailed scam scenarios) of what scams will be covered or not. Here are two examples:
So, for a quick summary, this MAS proposal for sharing reimbursement for fraud losses involves a subset of unauthorized payment transactions and does not involve any authorized payment transactions (authorized push payments).
Expanding Liability to Telcos
What is most important in this consultation is the recognition that Telcos are a real part of the problem for some of the unauthorized payment transaction scams, especially involving bogus text messages. And as a result, the telcos should contribute to the reimbursement of the fraud loss, along with banks, if either party has breached its defined responsibilities. MAS does mention that they have been working with banks and Telcos to add fraud controls to reduce fraud in Singapore.
MAS has defined several key responsibilities banks and Telcos must support.
For banks, the responsibilities include:
- Impose a 12-hour cooling off period upon activation of digital security token during which ‘high-risk’ activities cannot be performed.
- Provide notification(s) alerts on a real-time basis for the activation of digital security token and conduct of high-risk activities.
- Provide outgoing transaction notification alert(s) on a real-time basis.
- Provide a (24/7) reporting channel and (a special) self-service feature (a “kill switch” that consumers can self-activate to immediately block their account and prevent further unauthorized transactions).
For Telcos, the responsibilities include:
- Connect only to authorized aggregators for delivery of Sender ID SMS to ensure these SMS originate from bona fide senders registered with the SMS Sender ID Registry (SSIR).
- Block Sender ID SMS which are not from authorized aggregators to prevent delivery of Sender ID SMS originating from unauthorized SMS networks.
- Implement an anti-scam filter over all SMS to block SMS with known phishing links.
The consultation has defined a Waterfall Approach for reimbursement. The bank is first in the waterfall. If the bank has breached any of its major responsibilities, it will be fully responsible for reimbursement to the customer. If the bank has met its obligations, then the telco is next in line. If the telco has failed any of its major obligations, it will become fully liable to reimburse the customer. Then IMDA and MAS says: “If both the FI and Telco have carried out their SRF duties, the consumer bears the full losses.” The consumer still has the option of the dispute process. See diagram 1 for the Waterfall Approach.
As MAS looks at the serious issue of solving the various types of fraud and scams that target FI customers, it reemphasizes that it is expecting FIs and Telcos to add proper controls that prevent these scams from occurring. It has been one of the most aggressive regulators defining prescriptive fraud controls. They have also pushed FIs to offer ‘goodwill payouts to customers of these various frauds and scams.
The consultation acknowledges two key points:
- It believes it is the first regulator to require Telcos to be part of the reimbursement process. MAS says: “Currently, no (other) known jurisdictions have included telecommunication operators or other infrastructure service providers in their scam reimbursement frameworks.”
- It acknowledges that most other jurisdictions have not covered authorized transaction scam reimbursement. The UK (soon to cover a broad array of APP scams for required reimbursements), the Netherlands and soon the EU (both for bank impersonation authorized payment scams only) are the only regions with some form of APP scam reimbursement.
MAS does state that it plans to review other scam types in the future and take into account what other countries are doing for reimbursement.
The reimbursement proposal by MAS and IMDA is just one of several by country regulators in 2023 to help define/clarify how customers can be reimbursed from fraud and scams they fall victim to. This MAS/IMDA proposal is focused on unauthorized payment fraud and specifically phishing activities. But it is unique in that it requires Telcos to participate in the reimbursement process.
Singapore is the first country to formally require Telcos to be part of the fraud scam reimbursement process. A recently published UK Finance report stated that “17% of authorized push payment (APP) fraud in the UK started via telecommunications networks. Another 77% of APP fraud in the UK started online.” So, clearly, it is appropriate to involve Telcos. And probably online social media/dating sites should be included in the future as well.
This proposal also indirectly highlights that in Singapore, not all unauthorized fraud transactions are automatically reimbursed by the FI. Some number of these unauthorized fraud transactions are possibly only reimbursed by the ‘goodwill’ of the FI.
MAS has also focused on prescriptive fraud controls for FIs and Telcos. This is a very important part of the MAS strategy to prevent fraud and scams. And this should be part of every FI and Telco company strategy to help eliminate this serious issue of fraud/scam losses.
We have clearly seen the benefit of new telco scam controls in Australia. In the summer of 2023, the Australian Communications and Media Authority (ACMA) released a report that showed a significant reduction in vishing and smishing complaints in Australia. Here is an extract from the report:
A key trend observed in 2022–23 is a promising downward year-on-year number of complaints associated with the introduction of (new ACMA) anti-scam call and SMS rules:
- Phone scam complaints have decreased by 72% since 2020–21 (with the blocking rules introduced in December of that period)
- SMS scam complaints have decreased 86% since 2021–22 (with the blocking rules introduced at the beginning of the 2022–23 period).