A Shared Responsibility Framework (SRF) to tackle phishing scams has been proposed by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA).

The framework aims to strengthen the direct accountability of financial institutions and telecommunication companies to customers. It will assign duties to mitigate phishing scams, and the organizations will also be required to make payouts to victims where these duties are breached.

“Breaches of the duties will result in payouts to affected scam victims. This incentivises vigilance by all parties in the ecosystem to uphold safety in e-payments,” said Ho Hern Shin, Deputy Managing Director (Financial Supervision), MAS.

Besides the proposed SRF, both parties are also proposing amendments to the E-payments User Protection Guidelines in order “to uplift the standards of anti-scam measures across the financial system, and reinforce consumer’s responsibility to take precautions against scams,” Ho continued.

Prevent phishing scams

The SRF builds on a framework the Payments Council set out last year for sharing losses due to phishing scams, yet only covered financial institutions.

The new framework sets out the responsibilities between the sectors, and will focus on a defined scope of phishing scams, “where consumers are deceived into revealing their account credentials to scammers impersonating legitimate entities, leading to unauthorised transactions being performed”.

For financial institutions, one of the new obligations will include making sure outgoing transaction notification(s) are sent to customers, and telecommunication companies will have to implement a scam filter.

“Breaches of the duties will result in payouts to affected scam victims. This incentivises vigilance by all parties in the ecosystem to uphold safety in e-payments.”

Ho Hern Shin, Deputy Managing Director (Financial Supervision), MAS

The responsibility for the losses is based on a “waterfall approach”, which means that the financial institutions, followed by telecommunications companies, will bear the full loss if they fail to uphold their set duties.

This, MAS and IMDA say, “incentivises financial institutions and telecommunication companies to strictly uphold the desired standards of anti-scam controls”.

Aileen Chia, Deputy Chief Executive (Connectivity, Development & Regulation), IMDA, said that the organization has worked closely with telecommunications companies to implement a multi-layered approach to prevent scams over calls and SMS. One measure, the mandatory SMS Sender ID Registry, was introduced in January 2023. It reduced the number of scam SMS cases by 70% in the first three months.

“The inclusion of telecommunication companies in the Shared Responsibility Framework as supporting infrastructure providers serves to strengthen the ecosystem against scams,” Chia continued.

Malware or certain fraud not covered

However, the SRF will not cover fraud where victims interact with the scammers, such as authorizing payments or giving away personal information – for example investment fraud or love scams.

Even though malware scams can result in unauthorized transactions, the SRF will not cover those scams either as “this type of scam is relatively new, and it is premature to set out specific malware scam-related duties at this stage given that these risk-mitigating measures are still developing”, MAS and IMDA explain.

The evolving scam landscape will be monitored closely for future application of the SRF.

Before finalizing the SRF, MAS and IMDA seek comments on the joint consultation paper, which can be submitted till December 20, 2023.