of Monetary Authority of Singapore (MAS) and Information and Communication Media Development Authority (IMDA) will implement the Shared Responsibility Framework (SRF) for Phishing on December 16, 2024.
The SRF will be implemented through a set of SRF guidelines and aims to strengthen the direct responsibility of financial institutions (FIs) and telecommunications companies (TELCOs) for losses due to phishing scams.
By using a “waterfall” approach to determining liability, the guidelines specify that fraud-related losses arising from failure to meet specified obligations will be borne by the responsible entity.
By holding these entities accountable, the SRF strengthens consumer protection and provides clear redress for victims in the event of phishing-related losses.
Actors and types of fraud covered by the shared responsibility framework
The SRF applies to all banks, large payment service providers (PSPs), and telecommunications companies that play a key role in protecting consumers’ financial and communications activities.
The framework specifically addresses phishing scams with clear links to Singapore and targets scams where the perpetrator impersonates a national or international organization providing services to Singapore residents.
The SRF covers common phishing scams that involve identity theft and fraudulent transactions, but does not include scams that involve authorized transactions, such as investment scams or romance scams.
Additionally, MAS excluded phishing scams conducted through non-digital means. This is being addressed through public education and recommendations that emphasize not sharing credentials or one-time passwords (OTPs).
The SRF liability provisions do not apply to transactions involving credit, charge or debit cards issued in Singapore.
Responsibilities of financial institutions, PSPs and carriers in the fight against fraud
Under the SRF, MAS and IMDA have established specific obligations for financial institutions, PSPs and telecommunications companies with the aim of directly combating phishing scams.
The final framework includes the obligations originally proposed, as well as introducing new fraud monitoring obligations for financial institutions in response to public feedback.
FI and PSP obligations
FIs and PSPs must implement several anti-fraud measures to prevent unauthorized access and detect phishing threats.
A 12-hour cooling-off period is required for digital security token activation and new device login to the e-wallet, reducing the risk of unauthorized access.
FIs and PSPs can also help consumers quickly respond to suspicious activity, including high-risk actions such as logging in to new devices, changing contact details, increasing transaction limits, and adding new payees. You need to send real-time alerts.
In addition, both FIs and PSPs are required to provide a 24/7 self-service “kill switch” accessible via phone or app that allows consumers to can block account access.
In response to feedback, MAS has introduced new fraud monitoring obligations specifically targeting financial institutions.
This mandate requires financial institutions to conduct real-time monitoring to detect fraudulent transactions related to phishing scams.
If an account empties rapidly, financial institutions are expected to block transactions or hold transactions for 24 hours until they confirm with the customer.
Financial institutions have a six-month transition period to comply with this new obligation before it becomes enforceable under the SRF.
Telecommunications company obligations
Telcos play a key role in securing the SMS channels used in digital banking. You should only connect to authorized SMS aggregators, block unauthorized SMS sources, and implement anti-fraud filters that use machine learning to detect and block malicious URLs in SMS messages.
Compliance is assessed based on a carrier’s ability to block SMS messages containing URLs flagged as malicious by police.
IMDA recognizes the limitations of SMS, such as potential delivery issues due to network and device conditions, and also recommends a multichannel notification approach to enhance security across the platform.
Determining compensation using a waterfall approach
SRF uses a “waterfall” approach to assigning responsibility for losses due to phishing scams.
This approach prioritizes financial institutions as the primary actors responsible for compensating victims when SRF obligations are breached.
If both the financial institution and the carrier fail to meet their responsibilities, the financial institution will primarily cover the loss, and the carrier will have secondary liability.
This structure establishes a fair and clear framework for compensation, balancing accountability between financial and telecommunications providers and encouraging vigilance across both sectors.
Four stages of SRF claims investigation
The SRF outlines a structured four-step process to streamline claims for consumers affected by phishing scams, which has been refined based on consultation feedback.
Billing stage:
To initiate an SRF claim, a consumer must report the phishing scam to the FI within three days and provide a valid email, police report, and if possible digital communication records (SMS, email, WhatsApp, etc.) must be submitted.
Financial institutions and carriers may request further details, but will accommodate the victim’s limitations in providing comprehensive information.
Investigation stage:
Financial institutions will lead the investigation and work with carriers if SMS-based fraud is involved.
Both financial institutions and carriers will conduct parallel and independent investigations with the goal of completing simple cases within 21 business days and more complex cases within 45 business days.
While the FI acts as the primary point of contact, the carrier assists with specific inquiries and ensures coordination and timely response.
Result stage:
MAS and IMDA are mandating a single communication chain for SRF claims to address public feedback on the streamlined process and ensure clarity and consistency.
Relief stage:
In cases outside the scope of the SRF, or where there is no breach of obligation, consumers can seek mediation with the Financial Industry Dispute Resolution Center (FIDReC) or seek civil action through the courts.
Incorporating an e-wallet into the framework
From December 15, 2023, MAS will become a major payment institution (MPI), as regulatory “stock” and “flow” limits will be increased, allowing for larger holdings and transfers in e-wallets. Requires licensed e-wallet providers to participate. S.R.F.
This means recognizing the increased risk of significant loss with electronic wallets and mandating strong consumer protection controls.
Major e-wallet providers will also be required to join FIDReC, allowing users to access mediation and adjudication services for SRF-related disputes, similar to the protections available to bank account holders.
Ongoing fraud prevention efforts
The SRF is part of a broader and evolving strategy against fraud in Singapore, as MAS, IMDA and industry partners continue to strengthen defenses against phishing and other types of fraud.
In addition to the SRF, MAS and IMDA are working to strengthen digital security to protect consumers.
Ho Han Shin, Deputy Managing Director (Financial Supervision) of MAS, said:
“With the addition of new fraud monitoring obligations, some retail customers may experience additional inconvenience when making high-value transactions. This additional friction is intended to protect customers from large-scale fraudulent transactions. is required.
In addition to SRF, we are exploring stronger out-of-band authentication solutions, such as the use of Fast IDentity Online (FIDO)-compliant tokens, to strengthen our defenses against fraudulent phishing transactions. ”
FIDO-compliant tokens are authentication devices that must be placed in close proximity to a user’s device when performing transactions, adding an additional layer of protection against unauthorized access.
Irene Chia, Deputy Chief Executive (Connectivity, Development and Regulation) at IMDA, said:
“IMDA has worked closely with carriers to protect the SMS channel, the official channel adopted by financial institutions for digital banking, by introducing measures such as mandatory SMS sender ID registries and anti-fraud filters. .
These measures have resulted in over 20 million SMS being blocked since 2023. IMDA and telcos will continue to play their role in strengthening the ecosystem against fraud. ”
Featured image credit: Edited from freepic
