Shared Responsibility Framework for scams kicks in mid-Dec
To be shared between banks, telcos, and consumers.
Liability for losses from phishing scams in Singapore will soon be shared between banks, telcos, and consumers under a new framework.
The guidelines as set out in the "Shared Responsibility Framework" will kick in on Dec 16 this year, according to reports last week.
New responsibilities
All full banks and payment service providers must implement the following:
- Real-time notifications for outgoing transactions.
- 12-hr wait after activating digital security token.
- Real-time fraud surveillance.
Telcos have the responsibility to ensure that:
- Only legitimate Sender ID SMSes allowed.
- Block SMSs not from authorised aggregators.
- Block malicious URLs found in designated database.
Figuring out who is on the hook
When it comes to liability for scam losses:
- Financial institutions are first in line and will have to bear full losses if required duties are found to be breached.
- Telcos are on hook next: If the bank did their job but the telco did not, then the telco will have to bear the losses.
- If both the bank and telco carried out their duties, then the consumer would bear the full losses.
Rapidly drained of funds
The most interesting is probably the requirement that financial institutions check if a customer account is being "rapidly drained" of funds.
An account is considered to be rapidly drained if:
- It has S$50,000 or more (AND)
- If more than half is withdrawn in 24 hours.
This will presumably ensure that scammers don't drain life savings overnight in cases where they have taken over the victim's smartphone.
Tough luck if you have less than S$50,000 though.
What does this mean?
In my opinion, modern scams have evolved beyond the ability of the man on the street to adequately protect themselves against.
Urgent intervention is needed to stem surging losses from online scams, some of which have proved to be life-changing - with entire savings drained.
The real value of the Shared Responsibility Framework has to do with how it compels the industry to develop and implement more robust anti-scam measures.
And the framework can be easily updated to impose more stringent measures over time. Already, I've noticed how recent measures by DBS exceed the stated requirements.
Of course, do expect some level of inconvenience as some transfers are put on hold or delayed.
It's a small price to pay to go toe-to-toe with global scam syndicates though.