SINGAPORE - Mobile phone operators that fail to fulfil duties outlined under a proposed framework may soon have to share the responsibility with financial institutions such as banks, when it comes to reimbursing victims of certain phishing scams.

This framework was outlined in a joint consultation paper by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority on Wednesday that seeks to strengthen the direct accountability of financial institutions and telcos to consumers.

The move will likely make Singapore the first jurisdiction to include telecommunication operators or other infrastructure service providers in a fraud reimbursement framework. 

The authorities said placing “duties on responsible telcos” aims to reduce the risk of scam SMSes being sent to consumers.

The move is part of a proposed “waterfall approach” that will assess responsibility, with retail banks such as Citibank, DBS, UOB and OCBC, and payment service providers like Grab that offer e-wallets, first in line. 

This is because they are custodians of consumer funds and so play a critical role as gatekeepers against money being misappropriated by scammers. They have the primary responsibility to implement robust controls to safeguard accounts and to effectively respond to suspicious transactions, the regulators said. 

If they carry out these duties properly, they will not be required to reimburse phishing victims, particularly those who are duped into revealing their account credentials, such as usernames and passwords, to scammers impersonating legitimate entities such as government agencies or banks.

Consumers in such cases will then have to bear the full loss. They can take action by lodging a complaint at the Financial Industry Disputes Resolution Centre.

Telcos stand second in line as they are the infrastructure providers for SMS texts. Scammers have tried to impersonate financial institutions and other businesses using SMSes that appear as legitimate ones sent by banks, for example. 

Not all phishing scams are covered in the proposed framework. 

Scams covered include those where a fraudster pretends to be from a legitimate entity such as SingPost or DHL and sends e-mails or SMSes claiming account-related issues, to trick victims into clicking a URL link to a fake website to enter their account details.

They include those where a scammer claims to be from a financial institution offering deals like high interest rates on fixed deposits and free mobile phones to trick victims into clicking a URL link to a fake website to enter account credentials. 

Scams where victims authorise payments to a fraudster, such as those arising from investment or love scams, are not covered. 

Malware scams are not covered either. These usually involve scammers duping people into downloading and installing malicious Android apps, which give remote access to victims’ devices to obtain their Internet banking credentials or credit card details.

The new proposals would require banks to impose a 12-hour cooling-off period to prevent large sums from being transferred from an account to a third party if a scammer has phished a person’s credentials and activated a digital security token. They should send alerts to consumers and take preventive measures if the activity is unauthorised.

A 24/7 reporting channel and self-service feature such as a kill switch should be set up so that consumers can report and block unauthorised access to their accounts.

Telcos can deliver a sender identification SMS to a subscriber only if it originates from an authorised aggregator. An aggregator is a link between a business that wants to send an SMS and the mobile phone network that delivers it to a user’s mobile phone.

Telcos must block sender identification SMSes from all other channels to prevent consumers from receiving one from unauthorised or unknown networks. They must implement an anti-scam filter for all SMSes and block those with known phishing links.

Breaches of these duties would be the starting point for determining who is to be held responsible for losses under the framework, which builds on the work done last year by the Payments Council to counter phishing scams involving financial institutions. 

The regulators noted on Wednesday that digitally enabled scams that result in unauthorised transactions are of particular concern as they could undermine confidence in Singapore’s digital banking and payments systems.

“It is therefore critical for consumers to continue to exercise vigilance at all times and not click on any unsolicited, suspicious links,” they said.

The joint consultation paper seeks comments on the scope of the new guidelines, the duties of financial institutions and telcos, and the approach for payouts for scam losses, among other things. 

An MAS spokesman said the Government will take into account feedback from the public and publish a response to the consultation. It expects to implement the framework in the first half of 2024, he added.

The number of phishing scams here involving banks fell from a high of 839 in December 2021 to 113 in May 2022, noted police data.

Banks recovered about $57.6 million from different scams in the first nine months of this year, according to the Association of Banks in Singapore on Tuesday, adding that new anti-malware tools have further protected customers from potential losses of at least $18.6 million.

Countries like Australia have also considered shared loss schemes as a result of scams. The European Commission has proposed a “refund” to victims of certain types of fraud, while Britain is planning to enforce mandatory reimbursement by banks to scam victims of up to £1 million (S$1.66 million) – with the sending and receiving banks sharing the bill.