MAS and IMDA consult on Shared Responsibility Framework for phishing scams

1. The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) today published a joint consultation paper proposing a Shared Responsibility Framework (SRF) for phishing scams. The SRF assigns financial institutions (FIs) and telecommunication companies (Telcos) relevant duties to mitigate phishing scams, and requires payouts to affected scam victims where these duties are breached.

2. The SRF builds on the work done last year by the Payments Council¹ on a framework for sharing losses due to phishing scams that covered only FIs. The SRF includes FIs², who play a critical role as gatekeeper against the outflow of monies due to scams, as well as Telcos³, who play a supporting role as infrastructure providers for SMS which is used by FIs as an official communication channel.

3. Among scam types prevalent today, digitally-enabled scams that result in unauthorised transactions are of particular concern. As such transactions are performed without the customer’s knowledge or consent, they could undermine confidence in our digital banking and payments systems⁴.

4. The SRF will focus on a defined scope of phishing scams, where consumers are deceived into revealing their account credentials to scammers impersonating legitimate entities, leading to unauthorised transactions being performed.

5. The proposed framework aims to strengthen the direct accountability of FIs and Telcos to consumers. It sets out discrete and well-defined duties⁵ for FIs and Telcos to mitigate the risk of consumers falling prey to phishing scams. Breaches of these duties, such as a failure to send outgoing transaction notification(s) to consumers in the case of FIs, and a failure to implement a scam filter in the case of Telcos, would be the starting point for determining the party to be held responsible for losses under the framework. It therefore incentivises FIs and Telcos to strictly uphold the desired standards of anti-scam controls.

6. The consideration of which party will bear responsibility for the losses is accordingly based on a “waterfall approach”. FIs, followed by Telcos, are expected to bear the full loss, if they fail to discharge their respective prescribed duties. FIs stand first in line, given that they hold greater responsibility as custodians of consumers’ money. Telcos stand second in line, as they play a secondary role in fostering security of digital payments by facilitating SMS delivery. If FIs and Telcos have fulfilled their duties, the SRF will not require payouts to be made to consumers. It is therefore critical for consumers to continue to exercise vigilance at all times and not click on any unsolicited, suspicious links.

7. The SRF will not cover malware-enabled scams (malware scams). Although malware scams also result in unauthorised transactions which could undermine confidence in digital banking, this type of scam is relatively new, and it is premature to set out specific malware scam-related duties at this stage given that these risk-mitigating measures are still developing.

8. The Government is resolute in fighting malware scams and has been working closely with the industry to take upstream and downstream safeguard measures⁶, together with extensive public education⁷. The Government will continue to monitor the evolving scam landscape in the future application of the SRF.

9. The joint consultation paper seeks comments on the scope of the SRF, duties of FIs and Telcos under the framework, and the approach for payouts for scam losses, among others. The Government will carefully take into account these comments when finalising the framework.

10. Ms Ho Hern Shin, Deputy Managing Director (Financial Supervision), MAS, said “MAS, the financial industry and other government agencies have been collaborating closely to combat scams. The SRF assigns shared responsibility by specifying upstream anti-scam duties FIs and Telcos have to adhere. Breaches of the duties will result in payouts to affected scam victims. This incentivises vigilance by all parties in the ecosystem to uphold safety in e-payments. Alongside the proposed SRF, we are also proposing amendments to the E-payments User Protection Guidelines (EUPG), to uplift the standards of anti-scam measures across the financial system, and reinforce consumer’s responsibility to take precautions against scams.

11. For more details, please refer to the public consultation page. MAS and IMDA invite interested parties to submit their comments on the proposals by 20 December 2023.

Background information 

The E-payments User Protection Guidelines were put in place in 2018 to reinforce confidence in the use of electronic payments, by setting out responsibilities and liabilities of responsible financial institutions (such as banks, credit card issuers and major payment institutions that offer account issuance services) and consumers in the event of unauthorised or erroneous payment transactions.

MAS announced in February 2022 that the Payments Council, chaired by MD MAS, has been working on the review of the SRF Guidelines and the loss sharing approach since July 2021. This follows other measures which have been announced to reinforce safety in digital banking:

• 18 September 2023 - Reply to Adjournment Motion on “Losses from Scams and Malware Fraud: Doing Right by Bank Customers”
• 8 May 2023 - Written reply to Parliamentary Question on update on the progress of the framework for equitable sharing of losses
• 2 June 2022 - Additional Measures to Strengthen the Security of Digital Banking
• 15 February 2022 - Ministerial Statement on “Bolstering the Security of Digital Banking”
• 4 February 2022 - Equitable Loss Sharing Framework
• 19 January 2022 - MAS and ABS Announce Measures to Bolster the Security of Digital Banking