Shared Responsibility Framework – Enhancing accountability and reinforcing consumer confidence

Phishing is a scam that involves obtaining user and account data through digital messages from scammers containing links to fake websites that request sensitive account credentials and information from consumers. Scammers then access consumers’ bank accounts and undertake unauthorised transactions. An estimated 15,000 phishing scams occurred between 2021 and mid-2023, with losses averaging S$3,900 per scam. In February 2022, about 800 OCBC customers lost a combined S$13.7 million to scammers.

On 25 October 2023, the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) published a joint consultation paper proposing a Shared Responsibility Framework (SRF) for phishing scams. Broadly:

  1. Banks and telcos will have specific duties to mitigate the risk of consumers falling prey to phishing scams utilising a Singapore digital nexus, i.e. a digital platform to access accounts. If banks and/or telcos fail to do so, they must bear consumers’ losses by making payouts;
  2. Banks must do the following:
    • Impose a ‘cooling-off’ period of not less than 12 hours from when a digital security token is activated until a high-risk transaction can be authenticated using the token;
    • Provide real-time notification alerts for token activation and high-risk transactions;
    • Provide outgoing transaction notifications on a real-time basis;
    • Provide a reporting channel and self-service feature to consumers to promptly block access to the protected bank account.
  3. Telcos must do the following:
    • Connect only to authorised aggregators for delivery of Sender ID SMSes to ensure SMSes are from bona fide senders;
    • Block Sender ID SMSes which are not from authorised SMS networks;
    • Implement an anti-scam filter to block SMSes from known phishing links.
  4. Consumers are still expected to be the first line of defence against scams by using common sense, practising good cyber hygiene and not giving away personal or account credentials. Consumers are also expected to refer only to official sources for information, and not to click on unsubstantiated links in SMS or emails. Scams that will not be covered under SRF include:
    • Scams perpetrated by foreign scammers;
    • Scams which do not involve a digital nexus;
    • ‘Love’ or ‘Investment’ scams;
    • Scams where victims directly provide their information to scammers via text message or through non-digital means (eg. phone calls); and
    • Non-phishing scams (hacking, email interception, identity theft, malware-enabled scams etc.).

If an unauthorised transaction takes place, payouts will apply on a ‘waterfall’ basis:

  1. Is the Bank at fault?:
    The Bank involved must first assess whether its SRF duties have been fulfilled – if not, the Bank must payout to the consumer (whether or not the Telco involved has complied with its own SRF duties);
  2. Is the Telco at fault?:
    If the Bank has satisfied its SRF duties, then the Telco involved must check whether it has fulfilled its SRF duties – if not, then the Telco must payout to the consumer;
  3. Is the Consumer at fault?:
    If the Bank and Telco have both satisfied their respective SRF duties, then no payouts will be made to the consumer.

The claim process will be administered by the responsible Bank which will be the overall point of contact with the consumer. The 4 stages of a claim will involve:

  1. Claim stage:
    A claim must be made within 30 days of becoming aware of the unauthorised transaction. The Bank will then assess whether the claim falls within the SRF and will inform the Telco involved;
  2. Investigation stage:
    The Bank and Telco will conduct an investigation and assess their respective SRF responsibilities;
  3. Outcome stage:
    The Bank will inform the consumer of the investigation outcome; and
  4. Recourse stage:
    If dissatisfied, the consumer can seek recourse with FiDREC or IMDA.

There is currently no envisioned upper limit to the amount of losses that banks or telcos are to bear.

The SRF is a welcome development to reinforce consumer confidence in digital banking and enhane the accountability of the banking and telco channels. The SRF Consultation Paper is presently open for public comment and will close on 20 December 2023. The finalised SRF will likely incorporate tighter liability parameters, including possibly an upper limit on individual claim amounts (perhaps based on existing deposit insurance scheme limits) so that banks and telcos can manage their risks accordingly.

For further information, please contact:

Ting Chi Yen

Senior Partner

JTJB Singapore Office
E : tingchiyen@jtjb.com
T : 6224 0812