MAS and IMDA Set Out Duties and Liability of Financial Institutions and Telcos in Mitigating Digital Scams

Introduction

With the rapid ascent of digital payments and transactions in Singapore, one of the key concerns has been the persistent threat of digitally-enabled scams. Not only are such scams becoming more prevalent, but their methodologies are also constantly evolving. It is thus of vital importance that individuals and enterprises take appropriate and adequate measures to prevent digital scams.

The question then arises as to what measures need to be taken, and who bears the responsibility of preventative action. Singapore, which has been at the forefront of combating digital scams, has sought to provide greater clarity in this regard by issuing a slate of guidelines regarding the duties and responsibilities of financial institutions (“FIs“) and telecommunication companies (“Telcos“):

1. Guidelines on the Shared Responsibility Framework (“SRF Guidelines”): This sets out the details of the Shared Responsibility Framework (“SRF“), which prescribes the responsibilities of FIs and Telcos to mitigate digital phishing scams and allocates the liability for losses arising from such scams.

2. E-Payments User Protection Guidelines (“E-Payments Guidelines”): The E-Payments Guidelines have been enhanced to deal with unauthorised transactions arising from scams. The enhancements set out the duties of FIs to implement anti-scam measures and facilitate scam detection.

3. Circular No: MAS/PD/2024/10/04 on “Anti-Scam Measures by Major Payment Institutions that Issue Personal Accounts Containing E-Money” (“Anti-Scam Circular”): This sets out the Monetary Authority of Singapore’s (“MAS“) expectations of Major Payment Institutions (“MPIs“) that are e-wallet providers to implement the prescribed anti-scam measures before raising the stock and/or flow caps for its customers’ e-wallets beyond the previous regulatory limits (or, even if not raising the caps, to consider progressively implementing the anti-scam measures over time).

This Update highlights the key features of: (i) the SRF Guidelines (including the insights provided in the SRF Consultation Response, defined below); (ii) the enhancements to the E-Payments Guidelines; and (iii) the expectations under the Anti-Scam Circular.

SRF Guidelines

The SRF assigns responsible FIs and Telcos with relevant duties to mitigate digitally-enabled phishing scams, and requires payouts to affected scam victims where these duties are breached.

MAS and the Infocomm Media Development Authority (“IMDA“) had earlier conducted a public consultation on the proposed SRF from October to December 2023 (for more information on the public consultation, please see our earlier Legal Update on “Dealing with Digitally-Enabled Scams – MAS and IMDA Launch Consultations on Duties and Liability of Financial Institutions and Telcos“). MAS and IMDA have now set out their response to the feedback received in the public consultation (“SRF Consultation Response“), making certain amendments to the initially-proposed SRF, including the addition of new duties and finetuning its operational workflow.

MAS and IMDA have now announced that the SRF will be implemented from 16 December 2024.

To assist FIs, Telcos and individuals, MAS and IMDA have issued the SRF Guidelines, which will also be implemented from 16 December 2024, and which clarify: (i) the allocation of responsibility for losses arising from phishing scams under the SRF; and (ii) the operational workflow for consumers to report such scams.

In this section, we look at the following key elements of the SRF Guidelines:

1. The scope of the SRF;
2. The duties of responsible FIs and Telcos;
3. The responsibility for losses arising from “seemingly authorised transactions“; and
4. The operational workflow for processing claims under the SRF.

Scope of SRF

The SRF Guidelines apply to the following categories of entities:

1. Responsible FIs: Banks and relevant payment service providers (“PSPs“) that have issued a “protected account“; and

2. Responsible Telcos: Mobile network operators under the Telecommunications Act 1999 which provide cellular mobile telephone services.

A “protected account” is a payment account that is:

1. Held in the name of one or more persons;
2. Capable of having a balance of more than S$1,000 at any one time, or is a credit facility;
3. Capable of being used for electronic payment transactions; and
4. Where issued by a relevant PSP, a payment account that stores specified e-money.

The SRF Guidelines clarify that the SRF applies only to “seemingly authorised transactions“. In this regard:

1. The phishing scam must be perpetrated through the impersonation of a legitimate business or government entity to obtain the victim’s account credentials via a digital messaging platform (e.g. “SMS“, email, WhatsApp, social media platforms), where the account user enters his account credentials on a fabricated digital platform and such credentials are used to perform transactions that the account user did not intend to be performed.

2. MAS and IMDA have confirmed in the SRF Consultation Response that the SRF will focus on digital phishing scams, and will not cover malware scams, non-digital phishing scams, or other unauthorised transaction scam variants that do not involve phishing.

Duties of responsible FIs

The SRF Guidelines set out the responsibilities of responsible FIs in mitigating phishing scams. These duties are drawn from Section 4 of the E-Payments Guidelines, and include the following:

1. Cooling-off period: The responsible FI must impose a cooling-off period of at least 12 hours where high-risk activities cannot be performed, when: (i) a digital security token is activated on a device; or (ii) there is a login to a protected account issued by a relevant PSP on a new device.

2. Notification for account access and high-risk activities: The responsible FI must provide notification alerts on a real-time basis to the account holder of a protected account, when: (i) his digital security token is activated; (ii) there is a login to a protected account on a new device; or (iii) any high-risk activities are performed on a protected account.

3. Notification for outgoing transactions: The responsible FI must provide outgoing transaction notification alerts on a real-time basis.

4. Reporting channel and “kill switch”: The responsible FI must provide a reporting channel and self-service feature for the account holder to promptly block further access to the protected account.

5. Fraud surveillance: The responsible FI must put in place real-time fraud surveillance directed at detecting unauthorised transactions in a phishing scam. Where a protected account is rapidly drained of a material sum to a scammer, the responsible FI must: (i) block the transaction and all subsequent transactions to the scammer until it is able to obtain further verification; or (ii) send a notification to the account holder, and block or hold the transaction and all subsequent transactions for at least 24 hours.

It should be noted that the fraud surveillance duty was not initially included in the public consultation on the proposed SRF. This duty was added following feedback received in the public consultation to include the additional duty so as to strengthen FIs’ fraud surveillance controls. This aims to substantially reduce cases of customers having material sums being rapidly wiped out from their accounts without their knowledge.

As such, MAS will allow a six-month transition period from 16 December 2024 for FIs to be held to the fraud surveillance duty.

Duties of responsible Telcos

The SRF Guidelines set out the duties of responsible Telcos, which are a specific subset of IMDA’s directions to Telcos under Section 31 of the Telecommunications Act 1999. The duties are as follows:

1. Connecting only to authorised aggregators: The responsible Telco must deliver a “Sender ID SMS” to subscribers only if it is received from authorised aggregators.

2. Blocking “Sender ID SMS”: The responsible Telco must block a “Sender ID SMS” which is received from sources other than authorised aggregators.

3. Anti-scam filter: The responsible Telco must implement an anti-scam filter for every “SMS” that passes through its network, to determine if it contains any uniform resource locator (“URL“) that matches that of a known malicious URL in a designated database.

Duties of account users

The duties of the account user as set out in Section 3 of the E-Payments Guidelines would apply accordingly. In particular, account users should take necessary precautions, such as practising good cyber hygiene and never giving away their personal or account credentials to anyone. Account users also should not click on links purportedly sent by the responsible FI, unless these are informational links that the account user is expecting to receive from the responsible FI.

Responsibility for losses arising from seemingly authorised transactions

The question of which party will bear responsibility for losses arising from seemingly authorised transactions under the SRF is based on a “waterfall approach“, which operates as follows:

1. Step 1: The responsible FI is expected to bear any loss arising from: (i) any non-compliance by the responsible FI with any duty set out in the SRF Guidelines; or (ii) any action or omission by the responsible FI in paragraphs 5.5(a) and 5.5(b) of the E-Payments Guidelines.

2. Step 2: If the responsible FI has complied with all of its duties, the responsible Telco is expected to bear the losses arising from its non-compliance with any duty set out in the SRF Guidelines.

3. Step 3: Where the responsible FI and the responsible Telco have fulfilled their respective duties and are not expected to bear the loss pursuant to the SRF Guidelines, the loss falls on the account holder.

Operational workflow for processing claims under SRF

The SRF Guidelines set out the workflow for processing claims in respect of any seemingly authorised transaction. The workflow is divided into the following stages:

1. Claim stage: The account holder should report any unauthorised activity to the responsible FI no later than 30 calendar days from when the responsible FI sends the relevant notification alerts. The responsible FI is expected to provide the account holder with relevant information that the responsible FI has of all the seemingly authorised transactions.

2. Investigation stage: The responsible FI, and responsible Telco where applicable, must conduct an investigation to determine if they have fulfilled their duties under the SRF Guidelines. The responsible FI will first assess if the claim involves a seemingly authorised transaction that falls within the SRF’s scope. The responsible FI will next assess if the transaction resulted from a scammer impersonating an entity and contacting the account holder using “SMS” and, if so, will inform the responsible Telco so that the Telco can commence its own investigation.

The responsible FI and responsible Telco should complete their investigation of any relevant claim within 21 business days for straightforward cases or 45 business days for complex cases.

MAS and IMDA have indicated in the SRF Consultation Response that they are in discussions with FIs and Telcos on finalising the investigations protocols, and on internal processes for resolving disputes between FIs and Telcos during the investigations stage. 

3. Outcome stage: The responsible FI will inform the account holder of the investigation outcome and the assessment of the account holder’s responsibility within the time periods set out above. The responsible FI should seek acknowledgement from that account holder of the investigation outcome. 

4. Recourse stage: Where an account holder is dissatisfied with the outcome at the outcome stage, he may pursue further action through avenues of recourse such as the Financial Industry Disputes Resolution Centre Ltd (for FI decisions) or IMDA (for Telco decisions).

MAS and IMDA have stated in the SRF Consultation Response that they will monitor FIs’ and Telcos’ compliance with the SRF Guidelines, including their resolution of claims concerning scam losses. FIs and Telcos are expected to treat customers fairly and to investigate all cases of customer disputes independently.

E-Payments Guidelines

In line with the efforts to combat digital scams and provide clarity to relevant parties on their responsibilities, MAS has now issued the updated E-Payments Guidelines, which will take effect from 16 December 2024. The enhancements target unauthorised transactions arising from scams and set out the duties of FIs to implement anti-scam measures and facilitate scam detection.

Introduced in 2018, the E-Payments Guidelines set out the expectations of MAS of any responsible FI that issues or operates a protected account. It deals with unauthorised and erroneous transactions (not just phishing scams) and is thus of a wider scope than the SRF. MAS had proposed enhancements to the E-Payments Guidelines in 2023 targeted at unauthorised transactions arising from prevalent scam typologies in Singapore, such as phishing and malware-enabled scams. A public consultation on the proposed enhancements was conducted alongside the public consultation on the proposed SRF.

The updated version largely adopts the enhancements proposed in the public consultation. For a summary of the proposed enhancements, please see our earlier Legal Update on “Dealing with Digitally-Enabled Scams – MAS and IMDA Launch Consultations on Duties and Liability of Financial Institutions and Telcos“.

The E-Payments Guidelines cover the following areas:

1. Application;
2. Duties of account holders and account users;
3. Duties of the responsible FI;
4. Liability for losses arising from unauthorised transactions;
5. Specific duties in relation to erroneous transactions;
6. Dispute resolution process for handling any disputed investigation; and
7. Charges relating to transactions under dispute.

Scope of E-Payments Guidelines

The E-Payments Guidelines apply to responsible FIs which, in relation to any protected account, means any bank, non-bank credit card issuer, finance company or relevant PSP that issued the protected account. A “protected account” has the same definition as under the SRF Guidelines.

Duties of responsible FI

For the purposes of this Update, we will highlight the key elements of the E-Payments Guidelines relating to the duties of responsible FIs, some of which have been adopted in the SRF Guidelines:

1. Informing account holder of duties: The responsible FI should clearly inform account holders of the user protection duties as set out in paragraph 4.3 of the E-Payments Guidelines.

2. Quick Response (“QR”) codes, links and phone numbers: The responsible FI should not send clickable links or QR codes to an account user via email or “SMS“, or send phone numbers via “SMS“, unless the account user is expecting to receive such email or “SMS“.

3. High-risk activities: The responsible FI should impose a cooling-off period of at least 12 hours where high-risk activities cannot be performed, when a digital security token is activated on a device, or when there is a login to a protected account on a new device. The resposible FI should also inform the account user of the risks and implications of performing high-risk activities.

4. Notifications: The responsible FI should provide notification alerts on a real-time basis, for activation of digital security tokens, conduct of high-risk activities, and outgoing payment transactions. Such notifications are also encouraged for incoming transactions. The E-Payments Guidelines set out the applicable criteria for such notifications.

5. “Kill switch”: The responsible FI should provide a self-service “kill switch” for account holders to promptly block further access to a protected account.

6. Payment recipient information: The responsible FI should provide the prescribed information to allow the account user to identify the payment recipient. Where transactions are made by way of internet banking, any mobile phone application or other devices arranged for by a responsible FI for payment transactions, the responsible FI should provide an onscreen opportunity for any account user to confirm the payment transaction and recipient credentials before executing any authorised payment transaction.

7. Reporting channel: The responsible FI should provide a reporting channel for unauthorised or erroneous transactions, and for blocking further access to a protected account.

8. Surveillance: The responsible FI should have in place capabilities to detect, block, and inquire into the authenticity of suspected unauthorised transactions. This duty will only be implemented from 16 June 2025.

9. Claims procedure: The responsible FI should have a proper governance structure and investigation process for assessing any claim made by any account holder in relation to any unauthorised transaction. The prescribed procedure is further discussed below.

10. Crediting accounts: Where applicable, the responsible FI should credit the account holder’s protected account with the total loss arising from any unauthorised transaction as soon as investigations are completed if it has assessed that the account holder is not liable for any loss.

Liability for losses

The account holder of a protected account is liable for actual loss arising from an unauthorised transaction where any account user’s recklessness was the primary cause of the loss.

However, the account holder is not liable for such loss if it arises from any action or omission by the responsible FI and does not arise from any failure by any account user to comply with his duties as set out in the E-Payments Guidelines.

It should be noted that any action or omission by the responsible FI includes the following:

1. Fraud or negligence by the responsible FI, its employee, its agent or any outsourcing service provider;
2. Non-compliance by the responsible FI or its employee with any MAS requirement; and
3. Non-compliance by the responsible FI with any duty set out in the E-Payments Guidelines.

Claims procedure and dispute resolution

The procedure for a responsibe FI to assess and investigate any claim made by an account holder in relation to an unauthorised transaction includes the following elements:

1. Communicate the claim resolution process and assessment to the account holder in a timely and transparent manner;
2. Involve representatives who are independent from business units who are to carry out the assessment;
3. Complete an investigation of any relevant claim within 21 business days for straightforward cases or 45 business days for complex cases; and
4. Give the account holder a written or oral report of the investigation outcome and its assessment of the account holder’s liability.

When the account holder does not agree with the investigation outcome of the relevant claim, the responsible FI should have a dispute resolution process including the following elements:

1. Provide account holders with a channel to raise the disputed investigation;
2. Assess and complete an investigation of any disputed investigation within 21 business days or, where there are exceptional circumstances, within 45 business days of receipt of the disputed investigation;
3. Assess if there are any grounds for further investigation to be made on the disputed investigation; and
4. Give the account holder a written or oral report of the outcome of the assessment and investigation of the disputed investigation.

Anti-Scam Circular

MAS has issued the Anti-Scam Circular on 25 October 2024. The Anti-Scam Circular sets out MAS’ expectations of MPIs that are licensed under the Payment Services Act 2019 to carry on a business of providing an account issuance service and that issue personal payment accounts containing e-money. The expectations therein relate to the implementation of anti-scam measures before raising the stock and/or flow caps for customers’ e-wallets beyond the previous regulatory limits.

By way of background, on 15 December 2023, the regulatory limits on the stock cap and flow cap for e-wallets were respectively raised. MPI e-wallet providers are now able to provide individual customers with a stock cap of up to S$20,000 (previously S$5,000) and a flow cap of up to S$100,000 (previously S$30,000). However, these increases may expose customers to a higher risk of suffering more losses from scams, and scammers may use their own e-wallets as a conduit to channel larger amounts of scam proceeds.

Thus, if an MPI e-wallet provider wishes to raise the stock and/or flow caps for its customers’ e-wallets pursuant to the increased regulatory limits, MAS expects the MPI e-wallet provider to first implement anti-scam measures commensurate to the increased risk. The measures are classified into preventative measures, detective measures, and remedial measures.

Preventative measures

1. Restrictions on sending of clickable links or QR codes via email or “SMS“, or phone numbers via “SMS“;
2. 12-hour cooling-off period upon login to e-wallet on a new device;
3. Additional confirmation when performing high-risk activities and large funds transfers;
4. Default transaction limit of at most S$1,000 on outgoing payment transactions from e-wallets;
5. Default limit of two top-up sources linked to each e-wallet;
6. Default limit of two e-wallets that one top-up source is linked to; and
7. Flexibility to opt out from having higher e-wallet caps.

Detective measures

1. Transaction notification alerts on a real-time basis for each outgoing payment transaction;
2. Default threshold for outgoing transaction notification alerts set at S$0;
3. Notification alerts for login to e-wallet on a new device or high-risk activities; and
4. Real-time detection and blocking of suspicious transactions.

Remedial measures

1. Providing a reporting channel that is available at all times for the purposes of reporting unauthorised or erroneous transactions, and blocking further access via mobile and online channels to an e-wallet; and
2. Providing a “kill switch” for an e-wallet holder to promptly block access to his e-wallet and disallow outgoing payment transactions.

Concluding Words

As demonstrated in the above slate of guidelines and circulars, MAS and IMDA take a serious approach in their efforts to combat scams, particularly digitally-enabled scams. This is reflected in the wide scope of responsibilities set out in these guidelines and circulars to mitigate the risk of such scams.

FIs and Telcos should be aware of their respective responsibilities in this regard and should review their processes and policies to ensure that the measures that they have in place comply with the recommended standards. FIs and Telcos should also be aware of the prescribed processes for claims assessments and dispute resolution and set up the relevant operational workflows.

Please click on the following links for further information on the above instruments (available on the MAS website at www.mas.gov.sg and the IMDA website at www.imda.gov.sg):

• MAS and IMDA Response to SRF Public Consultation
• Press release on implementation of SRF
• SRF Guidelines
• E-Payments Guidelines
• Anti-Scam Circular