Victims of online scams should not assume they will be able to recover their losses, warns Singapore's financial services regulator, while urging the need for shared responsibility. The country is preparing to release a framework detailing how losses from online scams will be shared.
The Monetary Authority of Singapore (MAS) said it would publish the framework for public consultation within the next three months, adding that it would encompass responsibilities of other key parties in the ecosystem.
The industry regulator said in a statement Friday that the framework would operate on the basis that all parties had responsibilities to be vigilant and take precautions against scams.
Financial institutions must safeguard their customers, such as through implementing "robust controls" to protect customer accounts and "effective measures" to detect and respond to suspicious transactions.
"Customers have the responsibility to take necessary precautions, especially by never giving away personal or banking credentials to anyone, never clicking on links in SMS or email [messages] which are claimed to be sent by a bank, and transacting only through the bank's official website or mobile application," MAS said.
The framework, in the works since last July, aims to provide clarity on liabilities and how losses from fraudulent e-payment transactions should be shared amongst consumers and financial institutions. It currently is being developed by the Payments Council, which is chaired by MAS and comprises major providers and user groups of Singapore's payment services.
According to MAS, the proportion of losses each party should bear would depend on whether and how the party fell short of its responsibilities.
The industry regulator noted that financial institutions were expected to treat customers "fairly" and bear an "appropriate portion" of losses resulting from scams.
However, it stressed that care also should be taken to ensure compensation paid to customers did not dilute the incentive for vigilance.
In particular, MAS pointed to recent payouts made to victims of the OCBC Bank phishing scams, covering the full amounts lost to scammers. Describing the move as a "one-off gesture", the regulator said OCBC had done so in consideration of the circumstances, which included the bank's acknowledgment it failed to meet its own expectations of customer service and response.
"They do not set a general precedent for future cases," MAS said of the payouts.
The scams had involved 790 OCBC customers and resulted in losses totalling SG$13.7 million ($10.18 million), of which 80% occurred between December 23 and December 30 last year. Calls made to the bank's contact centre during that week climbed by more than 40%, according to OCBC.
In these phishing scams, which first surfaced December 1, scammers manipulated SMS Sender ID details to push out messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP).
Because OCBC's legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate.
In its statement released January 30, OCBC noted that victims had provided their online banking login credentials and one-time PINs to phishing websites. This enabled the scammers to hijack their bank accounts and make fraudulent transactions, it said.
"Nonetheless, OCBC decided to make the full payout as a one-off gesture of goodwill given the circumstances of this scam," the bank said. "We also took into consideration that our customer service and response fell short of our own expectations, which could have affected loss mitigation in some of the cases."
In an earlier statement posted December 30 last year, OCBC had said customers were "the first line of defence" against such scams and that once funds were moved from their account, the possibility of recovery was "very low". The bank added that it had issued its first advisory on December 23, warning the public about the scams and cautioning customers against clicking on links embedded in the SMS messages.
The scams prompted MAS to mandate new security measures last month that, amongst others, required banks to remove hyperlinks from email or SMS messages sent to consumers and implement a 12-hour delay in activating mobile software tokens.
In its statement Friday, the regulator reiterated that it was reviewing longer-term measures to be rolled out in the coming months.
It also called out consumers to exercise greater vigilance and adopt digital safety practices, including keeping their devices updated with the latest security patches and antivirus software as well as monitoring transaction notifications from their banks.