SINGAPORE, Oct 26 – Banks such as DBS Bank, UOB, OCBC Bank and Citibank, and payment services providers that offer e-wallets, such as Grab, YouTrip and Revolut are the first in line in a new framework that will be launched on December 16 to establish who pays the bill for phishing scam losses.
Under the finalised Shared Responsibility Framework that was unveiled on Thursday, next up will be the four telcos in Singtel, StarHub, M1 and Simba Telecom, reported The Straits Times.
If duties outlined by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) for financial institutions and telcos are fulfilled, victims will have to bear the cost of a scam.
Here are the duties for financial institutions and telcos that will come into force on December 16.
Financial institutions• Implementation of 12-hour cooling period — Financial institutions and banks are required to implement a 12-hour cooling period when a digital security token is activated – such as when a user sets up an account on a new device. During the period, no high-risk activities can be performed, such as adding new payees or carrying out high-value transactions, to give customers more time to spot potential unusual activities on their accounts. The 12-hour cooling-off period also applies to logins to an e-wallet such as Grab on a new device.
• Alert users to high-risk activities — Users should be immediately notified whenever a digital security token linked to their accounts is activated, and in the event of any high-risk activities like high-value transactions.
• Notify users of outgoing transactions — Banks and financial institutions must alert customers to outgoing transactions through real-time notifications so customers can promptly report potential scams.
• Provide a 24-hour reporting channel and ‘kill’ switch — Users should always have access to a reporting channel, allowing them to reach the financial institution to block scammers from making any fraudulent transactions on their accounts. Customers should also have access to a “kill” switch that allows them to freeze their accounts and prevent further unauthorised transactions. The emergency feature was introduced in 2022 following a spate of phishing scams targeting OCBC customers, who lost a total of about S$13.7 million (RM45.03 million)
• Set up real-time fraud surveillance — Financial institutions will be required to set up real-time fraud surveillance systems that block unauthorised transactions.. Banks must be able to detect when a large sum of money – defined as a transaction involving above half of a balance in an account of at least S$50,000 (RM164,330) – is being transferred from an account, and either block the suspicious transaction until it is able to get the customer’s confirmation, or hold the transaction for at least 24 hours.
Telcos
• Flag unauthorised aggregators — Customers should receive text messages displaying the name of the sender only if they come from authorised senders that are registered with IMDA’s SMS Sender ID Registry. Companies frequently send bulk text messages through aggregators, which act on behalf of a business. Texts received by users from unauthorised sources will be flagged as “likely scam”.
• Block unauthorised sender IDs — Telcos are required to block messages from all unauthorised aggregators to prevent their customers from receiving sender ID SMSes from external channels, including unknown networks.
• Implement anti-scam filters — Telcos are expected to set up anti-scam filters for all SMS messages that pass through their networks. The filters are designed to scan for messages containing URLs that match a database of malicious links that have been flagged.