Singapore wants banks and telcos to bear losses if found negligent in phishing scams
Singapore has laid out a framework detailing parties that should be held responsible for phishing scams, with banks and telcos taking on accountability for the first line of defense.
Regulators for the financial services and ICT sectors this week released a joint consultation paper with a proposed shared responsibility framework that will kick in, in the event of a phishing scam.
Also: Quishing is the new phishing: What you need to know
It assigns "relevant duties" to both financial institutions and telcos to mitigate such scams and details financial damages to be paid out to affected victims, should these duties be breached, said Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA).
The proposed framework comes more than a year after MAS unveiled plans to establish rules laying out how losses from online scams should be shared. The regulator had cautioned victims against assuming they would be able to recover their losses and urged all parties to remain vigilant.
Singapore's efforts to clarify accountability intensified following a massive phishing scam involving OCBC Bank customers, which resulted in losses totaling SG$13.7 million ($10.18 million). Several measures since were introduced to beef up local banking and communications infrastructures, including a "kill switch" banks must provide to enable customers to suspend their accounts in a suspected breach.
Also: What is ransomware? Everything you need to know and how to reduce your risk
MAS noted that payouts made to victims of the OCBC phishing scams, covering the full amounts lost to scammers, were a "one-off gesture," and made in consideration of the circumstances. These included the bank's acknowledgment it failed to meet its own expectations of customer service and response.
In its proposed shared responsibility framework, Singapore said financial institutions were critical as gatekeepers against the outflow of funds due to scams, while telcos played a supporting role as infrastructure providers of SMS, often used by scammers to communicate with targeted victims.
"Among scam types prevalent today, digitally-enabled scams that result in unauthorized transactions are of particular concern. As such transactions are performed without the customer's knowledge or consent [and] could undermine confidence in our digital banking and payments systems," the regulators said.
The framework takes on a "waterfall approach" where financial institutions, given that they hold greater responsibility as custodians of consumers' money, stand first in line in bearing the full loss should they fail to fulfill their duties. Telcos fall next in line, as they play a secondary role in ensuring the security of digital payments by facilitating SMS delivery.
Also: How to find and remove spyware from your phone
Both parties have "discrete and well-defined duties" to mitigate consumers' risk of falling victim to phishing scams. Breaching such duties, such as banks failing to send outgoing transaction notifications to consumers and telcos' failing to implement scam filters, will be the starting point to determine the party that will be held accountable for losses.
Only when financial institutions and telcos have carried out their respective duties, laid out in the framework, will they not be required to make payouts to affected consumers.
The regulators hope this will motivate telcos and financial institutes to ensure they maintain robust anti-scam controls. They also remind consumers of the need to always remain vigilant and refrain from clicking on unsolicited, suspicious links.
Among scenarios laid out in the proposed framework, consumers will bear all losses in phishing scams where they give away credentials verbally to scammers or if the impersonalization of unknown foreign entities are involved. Such cases do not fall within the scope of the framework as they do not contain a digital component and do not involve Singapore-based entities or legitimate overseas-based entities.
The shared responsibility framework also does not cover malware scams, as such scams are nascent. Setting measures at this stage would be premature, given that risk-mitigating measures still were developing, IMDA and MAS said.
Also: How long should a password be in 2023? You're asking the wrong question
The Singapore government would continue to monitor the scam landscape in future application of the framework, the regulators added. Industry and public feedback on the proposed paper should be submitted by Dec. 20.
Losses to scams have been on a growth trajectory worldwide, where 25.5% of citizens have lost almost $1.03 trillion to scams or identity theft in the past year, according to latest stats from Global Anti-Scam Alliance and ScamAdviser. In comparison, $55.3 billion were lost to scams in 2021 and $47.8 billion in 2020.
Victims in Singapore lost the most on average, clocking $4,031 in losses each, followed by their counterparts in Switzerland at $3,767 and Austria at $3,484 for each victim, the report found.
Singapore registered a 25.2% climb in scams and cybercrimes last year, with 33,669 reported cases, up from 26,886 in 2021. Scams accounted for the bulk, with victims losing SG$660.7 million ($501.9 million), up 4.5% from SG$632 million in 2021, according to the Singapore Police Force.
Also: The 3 biggest social media scams Americans are falling for
Phishing, e-commerce, and investment scams were among the top five most common tactics used against victims, making up 82.5% of the top 10 types of scams. Phishing cases topped the list, with 7,097 reported cases in 2022, up 41.3% from 2021.
IMDA said measures such as the mandatory SMS Sender ID Registry rolled out in January had cut the number of scam SMS cases by 70% in the three months since its introduction.