SINGAPORE: Mobile phone networks that don’t enforce security protocols will have to reimburse victims of certain phishing scams – a ruling that already applies to financial institutions.
The move will likely make Singapore the first jurisdiction to include telecommunication operators or other infrastructure service providers in a fraud reimbursement framework.
The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) said in a joint consultation paper out on Wednesday that placing “duties on responsible telcos” aims to reduce the risks of scam SMS being sent to consumers.
The move is part of a proposed “waterfall approach” that will assess responsibility, with retail banks such as Citibank, DBS, UOB and OCBC, and payment service providers like Grab that offer ewallets first in line.
This is because they are custodians of consumer funds and so play a critical role as gatekeepers against money being misappropriated by scammers. They have the primary responsibility to implement robust controls to safeguard accounts and to effectively respond to suspicious transactions, the regulators said.
If they carry out these duties properly, they will not be required to reimburse phishing victims, particularly those who are duped into revealing their account credentials such as username and passwords to scammers impersonating legitimate entities such as government agencies or banks.
Consumers in such cases will then have to bear the full loss. They can take action by lodging a complaint at the Financial Industry Disputes Resolution Centre.
Telcos stand second in line as they are the infrastructure providers for SMS texts. Scammers have tried to impersonate financial institutions and other businesses using SMS that appear as legitimate ones sent by banks, for example.
Not all phishing scams are covered in the new proposed framework.
Scams that will be covered include those where a fraudster pretends to be from a legitimate entity such as SingPost or DHL and sends emails or SMS claiming account-related issues to trick the victim into clicking a URL link to a fake website where he enters his account credentials.
They also include those where a scammer purports to be from a financial institution offering attractive deals like high interest rates on fixed deposits and free mobile phones to trick victims into clicking a URL link to a fake website to enter account credentials.
Scams where victims authorise payments to a fraudster, such as those arising from investment or love scams, are not covered.
Malware scams are not covered either. These usually involve scammers duping people into downloading and installing malicious Android apps, which give remote access to victims’ devices to obtain their Internet banking credentials or credit card details.
The new proposals would also require banks to impose a 12-hour cooling-off period to prevent large sums being transferred from an account to a third party if a scammer has phished a consumer’s credentials and activated a digital security token. They should also send notification alerts to consumers, and take preventive measures if the activity is unauthorised.
A 24/7 reporting channel and self-service feature such as a kill-switch should be set up so consumers can report and block unauthorised access to their accounts.
Telcos can deliver a sender identification SMS to a subscriber only if it originates from an authorised aggregator. An aggregator is a link between a business that wants to send an SMS and the mobile phone network that delivers it to a user’s mobile phone.
Telcos must block sender identification SMS coming in from all other channels to prevent consumers from receiving one from unauthorised or unknown networks.
They must also implement an anti-scam filter for all SMS and block those with known phishing links.
Breaches of these duties would be the starting point for determining who is to held responsible for losses under the framework, which builds on the work done last year by the Payments Council to counter phishing scams involving financial institutions.
The regulators noted on Wednesday, digitally-enabled scams that result in unauthorised transactions are of particular concern as they could undermine confidence in Singapore’s digital banking and payments systems.
“It is therefore critical for consumers to continue to exercise vigilance at all times and not click on any unsolicited, suspicious links,” they said.
The joint consultation paper seeks comments on the scope of the new regulations, the duties of financial institutions and telcos and the approach for payouts for scam losses, among others.
The new framework will likely be implemented in the first half of next year.
The number of phishing scams here involving banks fell from a high of 839 in December 2021 to 113 in May 2022, noted police data.
Banks recovered about S$57.6mil (RM201.22mil) from different scams in the first nine months of this year, according to the Association of Banks in Singapore (ABS) on Tuesday, adding that new anti-malware tools have further protected customers from potential losses of at least S$18.6mil (RM64.97mil).
Countries like Australia have also considered shared loss schemes as a result of scams. The European Commission has proposed a “refund” to victims of certain types of fraud, while Britain is planning to enforce mandatory reimbursement by banks to scam victims up to £1mil (RM5.80mil) – with the sending and receiving banks sharing the bill. – The Straits Times (Singapore)/Asia News Network