Ms Sylvia Lim asked the Prime Minister regarding the Shared Responsibility Framework that was jointly proposed by MAS and IMDA on 25 October 2023, how does the “waterfall approach” on losses arising from phishing scams adequately safeguard consumers’ interests.
Mr Alvin Tan: The SRF prescribes a set of anti-scam duties for financial institutions (FIs) and telecommunication companies (telcos) and provides for payouts to victims of phishing scams when these duties are breached. Under SRF, the FI stands at the top of this waterfall. If the FI does not fulfil any of its four anti-scam duties, it will compensate the scam victim fully for the loss suffered, regardless of whether the telco has discharged its duties or the victim has taken the necessary precautions. Likewise, if the FI has fulfilled its duties but the telco has not, then the telco is expected to bear full responsibility for the loss. Only if both the FI and telco have discharged their duties fully, will the customer, who stands at the bottom of the waterfall, have to bear the loss.
This approach recognises the key roles of FIs and telcos in preventing scams, and also reflects the SRF’s policy intent of strengthening their direct accountability to consumers. It incentivises FIs and telcos to strictly uphold the desired standards of anti-scam controls.
The duties defined for FIs in the SRF are built on a broader suite of measures that major retail banks are implementing to strengthen the security of digital banking in Singapore. Based on data collected by the Police, the Monetary Authority of Singapore (MAS) estimates there were about 15,000 phishing scam cases from 2021 to mid-2023, with an average loss per case of about S$3,900. We do not have data on the number of phishing scams that involve potential breaches of duties by FIs, but such data will be tracked under the SRF going forward.
Besides assigning accountability for scam losses, the important point is that full implementation by FIs and telcos of their respective safeguards should materially reduce the risk of phishing scams in this first instance. As it stands today, the number of phishing scams has continued to rise in the first half of this year compared to the previous period, but has declined as a proportion of total scam cases from 17% to 13%. The average loss per phishing scam has also declined by 20% over the same period. The Government will continue to monitor this closely. We are all committed to stem this rising tide of scams and losses.
Dr Tan Wu Meng had asked if the SRF would consider seniors with limited digital literacy when their bank phased out the use of physical hardware tokens. The retail banks already offer physical tokens for customers who request for them. Separate from the SRF, MAS has asked the banks to assess and implement customer authentication mechanisms that are more resistant to both phishing and malware attacks. When these measures are well developed, we can consider them for inclusion into the SRF.
Sir, we should see the SRF as part of broader suite of measures that the Government, the banks and other ecosystem players have progressively implemented to tackle the scourge of scams in Singapore. I covered these measures extensively in my response to the Adjournment Motion filed by Ms Lim in September. The Association of Banks in Singapore (ABS) released a media statement on 24 October 2023 outlining banks’ efforts to protect consumers against scams, including through anti-scam measures and also raising consumer awareness.
But SRF is not the only means through which scam victims can seek assistance. As ABS announced, banks have discretionary goodwill payment frameworks for their scam victims beyond the SRF. Depending on the circumstances of each scam case, the sophistication of the scam typology and the consumer’s financial situation, banks have covered part or all of the losses incurred by scam victims.
MAS has leaned on the banks to be even more accommodative in applying their goodwill payment frameworks. These goodwill frameworks complement the SRF, which is intended to strengthen the accountability of FIs and telcos to consumers when they have breached their defined duties.
Mr Speaker: Ms Sylvia Lim.
Ms Sylvia Lim (Aljunied): Thank you, Speaker. I have three supplementary questions for the Minister of State. The waterfall approach that is described in the paper, of course, MAS acknowledges that it is actually quite drastically different from the approach being taken in the United Kingdom (UK), where there is going to be a default requirement for banks to compensate customers, unless the customer was fraudulent or grossly negligent.
I wonder if he will agree with me that the waterfall approach can actually be seen as giving the banks a free pass, if they are able to tick the four boxes. That means to say, if they fulfil the four prescribed duties that are in the paper, they will not have to bear any losses, and based on the case studies in the paper, it appears to be so. So, I wonder whether he will agree with me that, in effect, this is what the waterfall approach will end up achieving for the banks.
The second question is: he mentioned that the four obligations set out in the paper are already being implemented by the banks. I do not know whether fully or progressively. So, how different is it really from the current status of the banks fulfilling these duties, and is the Government concerned that many scam victims will remain uncompensated under the SRF framework?
Thirdly, on the question of physical tokens, I have a Parliamentary Question No 44 on this topic, but I do not know why it was not grouped together. He mentioned that customers can request for physical tokens from the banks. I have received many emails from the public to say that this is not offered by their banks, they were told that it has been phased out.
And I myself went to a local bank to request a hardware token. It was not easy. I was first told that it is not going to be issued. And then, I had to insist and special approval was then obtained from the branch manager to issue the token to me. I was also warned that it might be phased out in due course and they cannot assure me that this service would be available. So, I wonder whether the Minister of State is aware of this as well.
Mr Alvin Tan: I thank Ms Sylvia Lim. In fact, I want to thank Ms Sylvia Lim and Dr Tan Wu Meng for constantly working on this, together with MAS as well as the Government. I think it is an issue which we are incredibly concerned about and we are taking action.
If the Member might indulge me, I will first answer the third question. Thank you for that feedback. What we can do and what we will ask the banks to do in terms of the request for tokens, is to make it easier. So, we take that feedback and we will put it back through MAS as well as the banks to ensure that customers who require physical tokens and are going to the banks to request for physical tokens, that process is made easier, particularly if they are not as adept or they do not yet have that confidence with digital tokens. I think that is a very important point, so, thank you for making that point. We will look into it and we will ask the banks to smoothen this process out.
The Member then also had two questions, with regard to the waterfall approach, as well as whether the banks are already fulfilling duties. Given that the Member had talked about the approach by the UK, maybe I can draw a distinction between what the UK is doing and what we are doing. There are, of course, variations between the UK’s approach, as well as our approach, and let me go into detail why we have taken this approach.
First, the recent moves by the UK and Australia are not the norm globally; and, in fact, these approaches will evolve over time. Singapore, like many jurisdictions, has adopted a slightly different approach on scams that are involving authorised transactions. Authorised transactions are scams, such as love, investment and job scams, for which the customer has authorised the transactions. If you think about the pre-digital banking days, the victims of such scams would have effectively just handed over cash, or written a cheque to these scammers promising a job or an investment return. Now, they are making these transactions through digital means.
It is challenging for a bank or telco if the SRF were to cover such scams – it would have to extend to all manner of deceptions, where victims are tricked into willingly handing over their money. That is why for scams involving authorised transactions, in this case, the best approach – and, in fact, we are raising this awareness – is for customers to exercise utmost vigilance and take personal responsibility. Therefore, we also stepping up public education efforts, including constant public advisories.
But as we had discussed in the Adjournment Motion, we also want to guard against the moral hazard risk, in terms of consumers letting their guard down and potentially also working in cahoots with scammers to defraud the banks.
Both the Member and I have heard feedback, even from the general public, that it would not be fair for the FIs, telcos and, ultimately, the wider group of customers who have exercised care, to have to bear the cost of compensating the scam losses from authorised transactions.
Scams involving unauthorised transactions are, of course, fundamentally different. The transfer takes place primarily without the victim’s knowledge or consent. That is why we place responsibility on the FIs at the top of the waterfall and the telcos at the second layer, to safeguard the consumer.
Therefore, the SRF is for phishing scams where the customer is tricked into disclosing his bank credentials and scammers are looking at unauthorised withdrawals.
I will also share a couple of things that are quite important. This framework has to be seen in a broader scheme of things. What the banks have been doing – and in fact, MAS has been working very closely with them, together with the Cyber Security Agency (CSA), as well as the Infocomm Media Development Authority (IMDA) – are, and I think the Member would have seen them, some of the changes and developments since the Adjournment Motion.
First, MAS works very closely with the banks to implement and strengthen anti-scam controls. Since we have discussed in our Adjournment Motion, four major retail banks have rolled out anti-malware controls. These restrict customers’ access to their apps, if potentially malicious risky apps not uploaded from official stores or portals, are detected on the customers phones.
I wanted to update the Member also on how banks are exploring “money lock”, which allows customers to set aside an amount in their bank accounts which cannot be digitally transferred out without strict authentication measures. For now, DBS, OCBC and UOB will be implementing their versions of “money lock” this month.
I also talked earlier on about the goodwill payment frameworks. MAS is leaning on the banks to be even more accommodative in applying these goodwill payment frameworks, taking into account the sophistication of scam typology, as well as consumers’ financial situations, amongst others. So, in concert, these are different measures.
With regards to the consultation paper, it is ongoing right now. It is from 25 October to 20 December. We are asking six questions, including the questions the Member had asked about the waterfall approach, and about evolving scam typologies and the approaches to this. So, we will take all of the feedback, which have been given to us, and we will review that at the end of it.
We intend to operationalise the SRF by early next year. So, I encourage the Member to submit, and she can also directly send to me, her comments as well as reviews. There are 15 case studies. I have studied the case studies. These are different duties that either the FIs or telcos have to fulfil.
But the scenarios are not exhaustive. So, if there are different scenarios that the SRF would benefit from referencing, I think these will be very helpful, as we roll out and operationalise the SRF.
Mr Speaker: Ms Sylvia Lim.
Ms Sylvia Lim: Speaker, two further questions for the Minister of State. Earlier, the Minister of State mentioned that SRF, as proposed by MAS, covers only unauthorised transactions. Does he agree with me that even accepting that premise, so long as the banks fulfil the four obligations defined in the paper, even if the bank was negligent in some other way, the bank can actually push the liability down the waterfall? That is my first clarification.
Secondly, I wonder whether he is prepared to clarify on this point: assuming the customers are not satisfied under the SRF framework and they have no choice but to go to the Financial Industry Disputes Resolution Centre (FIDReC), can the banks rely on the four obligations in the framework to say that, “Well, under the framework, we have done these four tasks and the paper says that 100% liability goes to you, so, we would not offer you any settlement payments at all.” Can they do this at FIDRec?
Mr Alvin Tan: To the second question, it depends on a case-by-case basis. So, for now, if it is unauthorised transactions and if it goes through the waterfall approach, for example, if the FIs have fulfilled their duties, the telcos have fulfilled their duties and, in this case, the customers themselves have fulfilled their duties, then it is up to the banks also to see whether they can implement. And, in fact, they will and have implemented a goodwill payment framework. Importantly, it is that, for it to be fair to the FIs, the telcos as well as consumers, we have to strike a fair balance between responsibility of the FIs and telcos as well as consumers.
So, the goodwill payment framework has already been operationalised by the banks. MAS will lean in on the banks to tilt the balance towards the banks offering more of these goodwill payment frameworks. But there has to be due consideration.
For example, if the consumer himself has faced a particular financial hardship, then the banks will take all of these into account when deciding whether to issue a goodwill payment to the consumer.
Ministry of Trade and Industry
7 November 2023
https://sprs.parl.gov.sg/search/#/sprs3topic?reportid=oral-answer-3373
Office of the Leader of the Opposition 