Tuesday, 16 July 2024
MAS and IMDA consult on shared framework against phishing
The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority IMDA) published a joint consultation paper proposing a Shared Responsibility Framework (SRF) for phishing scams.
The SRF assigns financial institutions (FI) and telecommunication companies (telcos) relevant duties to mitigate phishing scams, and requires payouts to affected scam victims where these duties are breached.
The SRF builds on the work done last year by the Payments Council on a framework for sharing losses due to phishing scams that covered only FI. The SRF includes FI, who play a critical role as gatekeeper against the outflow of monies due to scams, as well as telcos, who play a supporting role as infrastructure providers for SMS which is used by FI as an official communication channel.
Among scam types prevalent today, digitally-enabled scams that result in unauthorised transactions are of particular concern. As such transactions are performed without the customer’s knowledge or consent, they could undermine confidence in our digital banking and payments systems.
The SRF will focus on a defined scope of phishing scams, where consumers are deceived into revealing their account credentials to scammers impersonating legitimate entities, leading to unauthorised transactions being performed.
The proposed framework aims to strengthen the direct accountability of FI and telcos to consumers. It sets out discrete and well-defined duties for FI and telco to mitigate the risk of consumers falling prey to phishing scams. Breaches of these duties, such as a failure to send outgoing transaction notification to consumers in the case of FI, and a failure to implement a scam filter in the case of telcos, would be the starting point for determining the party to be held responsible for losses under the framework. It therefore incentivises FI and telcos to strictly uphold the desired standards of anti-scam controls.
The consideration of which party will bear responsibility for the losses is accordingly based on a “waterfall approach”. FI, followed by telcos, are expected to bear the full loss, if they fail to discharge their respective prescribed duties. FI stand first in line, given that they hold greater responsibility as custodians of consumers’ money. Telcos stand second in line, as they play a secondary role in fostering security of digital payments by facilitating SMS delivery. If FI and telcos have fulfilled their duties, the SRF will not require payouts to be made to consumers. It is therefore critical for consumers to continue to exercise vigilance at all times and not click on any unsolicited, suspicious links.
The SRF will not cover malware-enabled scams, including malware scams. Although malware scams also result in unauthorised transactions which could undermine confidence in digital banking, this type of scam is relatively new, and it is premature to set out specific malware scam-related duties at this stage given that these risk-mitigating measures are still developing.
The government is resolute in fighting malware scams and has been working closely with the industry to take upstream and downstream safeguard measures, together with extensive public education.
The government will continue to monitor the evolving scam landscape in the future application of the SRF. The joint consultation paper seeks comments on the scope of the SRF, duties of FI and telcos under the framework, and the approach for payouts for scam losses, among others. The government will carefully take into account these comments when finalising the framework.
Ho Hern Shin, deputy managing director for financial supervision at MAS, said: “MAS, the financial industry and other government agencies have been collaborating closely to combat scams. The SRF assigns shared responsibility by specifying upstream anti-scam duties FI and telcos have to adhere. Breaches of the duties will result in payouts to affected scam victims. This incentivises vigilance by all parties in the ecosystem to uphold safety in e-payments. Alongside the proposed SRF, we are also proposing amendments to the e-payments user protection guidelines, to uplift the standards of anti-scam measures across the financial system, and reinforce consumer’s responsibility to take precautions against scams.
Aileen Chia, deputy chief executive for connectivity, development and regulation at IMDA, said: “IMDA has worked closely with the telcos to implement a multi-layered approach to prevent scams from being conducted over calls and SMS. Measures such as the mandatory SMS sender ID registry introduced in January 2023 have significantly reduced the number of scam SMS cases by 70% in the three months since the registry’s launch. The inclusion of telcos in the Shared Responsibility Framework as supporting infrastructure providers serves to strengthen the ecosystem against scams.”
Re-disseminated by The Asian Banker
