Financial institutions and telcos required to share responsibility for phishing scams in Singapore from 16 December 2024

The Shared Responsibility Framework (SRF) was first proposed in Singapore in 2023 and will come into effect on 16 December 2024. It was jointly developed by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA), which will both oversee its implementation. In short, the SRF introduces a framework that requires losses from certain types of phishing scams to be shared across scam victims, financial institutions (FIs) and mobile telephone operators (telcos). MAS had published a consultation paper in October 2023 and followed up with a recent response paper in October 2024.

The SRF aims to: (a) preserve confidence in digital payments and digital banking; (b) strengthen relevant entities’ direct accountability to consumers for losses incurred from digital scams; and (c) emphasise individuals’ responsibility to remain vigilant against scams. The SRF, to be implemented via a set of Guidelines, is aimed at bolstering the accountability of FIs and telcos in protecting consumers from losses incurred due to phishing scams where the FIs and telcos are assessed to have breached their relevant duties (as described below).

Types of scams covered

The SRF covers a defined scope of phishing scams, ie, scams with:

• a digital nexus (ie, where consumers are deceived into clicking on a phishing link and entering their credentials on a fake digital platform, thereby allowing for unauthorised transactions to be performed from the account); and
• a “clear” Singapore nexus (ie, the impersonated entity is Singapore-based, or based overseas but offers its services to Singapore residents).

Duties of FIs and telcos

There are five duties which FIs are required to adhere to under the SRF. These comprise:

• implementing a 12-hour cooling-off period upon activation of digital security tokens during which “high-risk” activities cannot be performed;
• providing real-time notification alerts for the activation of digital tokens and conduct of high-risk activities;
• providing outgoing transaction notification alert(s) on a real-time basis;
• providing a 24/7 reporting channel and self-service feature for customers to report and block unauthorised access to their accounts (ie, a “kill” switch); and
• establishing real-time fraud surveillance systems to detect unauthorised transactions in a phishing scam that result in an account being rapidly drained of a material sum to a scammer. In such scenarios, FIs must either block the transactions until they obtain positive confirmation from the customer or provide notifications to the customer while blocking or holding the transactions for 24 hours.

In particular, the requirement on FIs to establish real-time fraud surveillance systems at (5) above is new. It was absent from the consultation paper and was only included in the response paper in light of public feedback to the consultation. FIs will therefore be given an additional 6-month transition period following 16 December 2024 before they are held to this additional duty. For the other duties, FIs are required to abide by them from 16 December 2024.

For telcos, there are three duties:

• connect only to authorised aggregators for delivery of Sender ID SMS to ensure these SMS originate from bona fide senders registered with the Singapore SMS Sender ID Registry;
• block Sender ID SMS which are not from authorised aggregators to prevent delivery of Sender ID SMS originating from unauthorised SMS networks; and
• implement an anti-scam filter over SMS to block SMS containing malicious URL in a designated database.

Exactly how effectively FIs and telcos will be able to implement and comply with the relevant duties will depend on a number of factors, including the following:

• Technical infrastructure: FIs may need to build (or enhance existing systems) in relation to the requirements for “kill” switch and real-time fraud surveillance systems, while telcos will need to have a robust and adaptable technical infrastructure that can effectively connect to authorised aggregators, block unauthorised SMS and implement an anti-scam filter;
• Investment: Implementing new systems and measures within the relatively short timeframe might require significant financial investment;
• Training: Technical implementation and compliance will only be effective if relevant personnel are aware of and understand the relevant duties; and
• Periodic review: Telcos should periodically review and, if necessary, adjust their practices to ensure ongoing compliance with the SRF.

“Waterfall approach to losses”

As set out in the original consultation, FIs are first-in-line expected to provide payouts when their SRF duties are breached. Telcos are included as the secondary and supporting layer in the “waterfall” in recognition of their responsibility in protecting consumers from the in-scope SMS phishing scams.

In accordance with the “waterfall” approach, FIs will be expected to bear the scam losses in situations where both the FI and telco have not met their specified duties. However, if the FI has not breached its duties, while the telco has breached its SRF duties, the responsible telco is expected to bear the loss in full.

Operational workflow for handling claims under the SRF

In case of an alleged breach, the SRF sets out four stages to a claim:

• Claim stage: A victim of a scam will need to provide details of the phishing scam to their FI in order to initiate the claims process, with the FI being the first and overall “point of contact” for the customer.
• Investigation stage: This is followed by an investigation stage, where both the applicable FI and telco (if the scam was perpetrated by SMS) will be involved.
• Outcome stage: FIs will be required to bear the full extent of losses if they assess that they have not met their duties. If an FI finds that it has fulfilled all its duties, the SRF would proceed to consider whether the scam was perpetrated by way of short message service (ie, SMS), and if so, whether the telco has fulfilled its duties. If the telco has not fulfilled its duties, the telco would be liable for the losses. It is only if both the FI and telco have fulfilled their duties that the customer will need to bear the loss. Generally, any investigative process should take no more than 21 business days (for straightforward cases) or 45 business days (for complex cases).
• Recourse stage: If a consumer is dissatisfied with the outcome, they can turn to other existing avenues of recourse, such as mediation and adjudication with the Financial Industry Disputes Resolution Centre. Scam victims can also pursue civil claims against the relevant entities through the courts. This also applies where cases fall outside the scope of the SRF, or where entities have not breached any relevant duties.

Refinements to the above operational workflow are still being studied, including how potential disagreements between stakeholders over a claim assessment can be managed. MAS and IMDA will finalise these before the SRF commences.

Some points to note

In the recently published response paper, MAS and IMDA have also helpfully clarified a few points:

• MAS and IMDA will not introduce any liability cap for losses, and there will be an expectation of full payouts in the event of breach of duties under the SRF.
• The SRF duties apply in relation to phishing scams enabled by digital messaging platforms, specifically where the scammer impersonates a legitimate entity and makes use of such a platform to correspond with the account user. Digital messaging platforms include, but are not limited to, Rich Communicate Services (RCS), email, and WhatsApp. MAS notes that some FIs do utilise RCS to communicate with their customers and have clarified that RCS is in-scope of the SRF for FIs. However, telcos’ SRF duties do not apply to messages delivered by RCS because RCS is not provided via the telcos’ SMS channels.
• The SRF does not apply to corporate customers.
• The SRF will apply to all customers of FIs in Singapore. Customers of FIs who are foreign residents, and who receive the FIs’ services from overseas, would also fall within the scope of the SRF.

Global developments

Following the finalisation of the SRF, Singapore is one of the first jurisdictions in the world with a framework on how compensation should be awarded to scam victims. In comparison, the United Kingdom has introduced a mandatory reimbursement framework in relation to payment services providers dealing with customers who are victims of authorised push payment (APP) fraud, which came into effect recently on 7 October 2024. Whilst the UK regulator has introduced a maximum reimbursement limit which can be awarded to victims of £85,000 (unlike Singapore), the UK regime covers authorised transactions, and is therefore broader in scope. The UK regime also does not hold telcos accountable.

This looks set to be part of a wider global trend of regulators assigning responsibility to and elevating the standards of customer protection for financial institutions, considering their relative deep pockets. It is notable that Australia has also recently published exposure draft legislation setting out its iteration of the SRF on 13 September 2024, while local media in Hong Kong  reported in September 2024 that the Hong Kong Monetary Authority had indicated it would  commence consultation on a “responsibility framework” for scams.

How we can assist

The team at Herbert Smith Freehills Prolegis has been closely following the development of the SRF in Singapore, as well as similar loss-sharing frameworks in overseas jurisdictions. If there are any queries (whether on potential legal ramifications, implementation concerns or otherwise), please feel free to reach out to a member of the team.