A Framework for Equitable Sharing of Losses Arising from Scams

DigitalCFO Newsroom | 7 February 2022

Photo from Reuters

The Monetary Authority of Singapore (MAS) today updated that banks in Singapore have substantially implemented the additional measures to bolster the security of digital banking announced on 19 January 2022. The measures, taken together, provide a significant added layer of security to protect customers’ funds. MAS is working with the industry to evaluate longer-term measures to be implemented in the coming months, as well as to develop a framework for equitable sharing of losses arising from scams.

  1. The Payments Council, chaired by MAS, has been working since July 2021 on a framework that aims to provide clarity on how losses arising from scams are to be shared among consumers and financial institutions.
  2. Under the framework, all parties have responsibilities to be vigilant and to take precautions against scams.
  • Financial institutions have the responsibility to protect their customers, such as through robust controls to safeguard customer accounts, and effective measures to detect and respond to suspicious transactions.
  • Customers have the responsibility to take necessary precautions, especially by never giving away personal or banking credentials to anyone, never clicking on links in SMSes or emails which are claimed to be sent by a bank, and transacting only through the bank’s official website or mobile application.
  1. The proportion of losses each party bears will depend on whether and how the party has fallen short of its responsibilities. MAS expects financial institutions to treat their customers fairly and bear an appropriate proportion of losses arising from scams. At the same time, care must be taken to ensure that compensation paid to customers does not weaken their incentive for all to be vigilant. OCBC’s recent goodwill payouts to fully cover customer losses were a one-off gesture by the bank in the circumstances, which included the bank’s consideration of how it had not met its own expectations of customer service and response. They do not set a general precedent for future cases.
  2. MAS aims to publish the framework for public consultation within the next three months. Other than the sharing of losses, the consultation will also cover the responsibilities of other key parties in the ecosystem.
  3. Customers are urged to exercise greater vigilance and adhere to the following digital safety practices:
  • Never click on links provided in SMSes or emails claimed to be sent by banks.
  • Never disclose internet banking credentials or passwords to anyone, including persons claiming to be from banks or government agencies.
  • Verify SMSes or emails received by calling the bank directly on the hotline listed on its official website.
  • Transact only on the bank’s official website, or through the bank’s official mobile application.
  • Closely monitor transaction notifications received from the bank so that any unauthorised payments are reported as soon as possible to increase the chances of recovery.
  • Keep your devices updated with the latest security patches and anti-virus software.

Fighting to be on the winning side of the cyber Darwinian contest, constantly – Ajay Biyani, Regional Vice President, ASEAN – ForgeRock

“According to the 2021 ForgeRock Consumer Breach Report, phishing scams, ransomware attacks, misconfigured servers that allow unintended access and passwords reused for multiple accounts are some of the key contributors that led to unwanted access to sensitive information.

Cyberattacks continue to become more sophisticated. Typically, digital attack attempts that are close to the boundaries of vulnerability and uncertainty, such as claiming issues with one’s bank accounts, are more successful with victims ending up clicking a URL and inadvertently sharing log-in credentials.

In a digital economy such as Singapore, to address these increased risks, organisations need to ensure updated planning for emergency scenarios, leverage AI and machine learning (ML) technologies to identify anomalies that lie outside of normal tolerance at pace, enable contextual and adaptive multi-factor authentication, and institute a Zero Trust policy that ensures accurate identity and access management (IAM).

Financial institutions are no longer in the lending business; they are in the trust business. Consumers need to be able to trust them to manage and protect their private information, and companies that implement digital identity management solutions are well positioned to earn that trust.

At the same time, the need to continue to invest in consumer education and awareness programs cannot be understated. With the Monetary Authority of Singapore (MAS) introducing new measures recently and the latest announcement of a framework for equitable sharing of losses, the onus lies on both parties to practice good cyber hygiene and safeguard their data.”