3. Financial Institutions
  5. Singapore: Shared Responsibility Framework to be implemented from 16 December 2024

Singapore: Shared Responsibility Framework to be implemented from 16 December 2024

28 Oct 2024    4 minute read
Scams Shared Responsibility Framework Financial Institutions Telcos Cybercrime

In brief

On 24 October 2024, the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority of Singapore (IMDA) announced that the Shared Responsibility Framework (SRF) for phishing scams will be implemented on 16 December 2024 via a set of guidelines. Under the SRF, financial institutions (FIs) and telecommunication operators (telcos) are assigned duties to mitigate phishing scams. The MAS and IMDA expect responsible entities to bear any scam losses arising from failure to fulfil any of the relevant duties under the "waterfall" approach.

The MAS and IMDA published on 25 October 2023 a joint consultation paper on the SRF ("Consultation"), with the consultation period closing on 20 December 2023. Our earlier alert on the consultation can be accessed here. Our Local Principal Ying Yi Liew and Associate Joan Choo also wrote for the Singapore Law Gazette (September 2024 issue) an article on who bears the responsibility for tackling scams and which explores the SRF, recent regulatory changes, and their implications for financial institutions and tech platforms. Read the full article here.

Contents

Key implementation actions

Overall feedback on the SRF from the public was supportive. In response to the feedback received, the MAS will include an additional FI duty in the area of fraud surveillance, which is to require FIs to have in place real-time fraud surveillance to identify unauthorised transactions linked to phishing scam. If a customer's account is being rapidly drained of a significant sum by scammers, FIs must either block the transaction until it is able to reach the customer for positive confirmation or send a notification to the customer and block or hold the transaction for 24 hours. For this new fraud surveillance duty, there will be an additional six-month transition period, as this was not part of the original FI duties. For the other duties, they will come into force on 16 December 2024, and compliance will be expected from then.

We recap the SRF duties of responsible FIs and responsible telcos below:

Duties of responsible FIs

  • FI Duty #1: Impose a 12-hour cooling-off period upon activation of a digital security token, during which "high-risk" activities cannot be performed. The equivalent duty applies in the context of accounts issued by relevant payment service providers when a new device is used to log in.
  • FI Duty #2: Provide notification alerts on a real-time basis for the activation of a digital security token to alert consumers to high-risk activity that may not have been authorised by the consumer. The equivalent duty applies in the context of accounts issued by relevant payment service providers when there is a login on a new device, or during the conduct of high-risk activities.
  • FI Duty #3: Provide outgoing transaction notification alerts on a real-time basis, which are essential in prompting consumers to react when there are unauthorised transactions (e.g., immediately reporting to the FI), and enables the FI to take timely remedial action.
  • FI Duty #4: Provide a 24/7 reporting channel and self-service feature (kill switch) to report and block unauthorised access to their accounts. FIs should also provide a kill switch that consumers can self-activate to immediately block their account and prevent further unauthorised transactions.
  • [New] FI Duty #5: Put in place real-time fraud surveillance directed at detecting unauthorised transactions in a phishing scam that results in an account being rapidly drained of a material sum to a scammer. In such scenarios, FIs must either block the transaction until it is able to reach the customer for positive confirmation, or send a notification to the customer and block or hold the transaction for 24 hours. The MAS will allow a six-month transition period for FIs to be comply with this fraud surveillance duty.

Duties of responsible telcos

  • Telco Duty #1: Connect only to authorised aggregators for delivery of Sender ID SMS to subscribers.
  • Telco Duty #2: Block Sender ID SMS that are not from authorised aggregators.
  • Telco Duty #3: Implement an anti-scam filter for all SMS that pass through its network, where the SMS will be scanned to determine if it contains any URL that matches that of a known malicious URL in a designated database.

Further information

For further details on the SRF, you may refer to the following:

  • MAS Media Release on Implementation of Shared Responsibility Framework (24 October 2024) (link)
  • MAS Response to Consultation Paper on Proposed Shared Responsibility Framework (24 October 2024) (link)
  • MAS Consultation Paper on Proposed Shared Responsibility Framework (25 October 2023) (link)

Our Financial Services Regulatory team recently provided insights on the SRF and broader regulatory considerations for FIs in tackling the growing scam crisis:

  • We shared our expert insights on Singapore's enforcement response to the escalating scams crisis, at our Scams: Regulatory Expectations for FIs seminar on 17 September 2024. We discussed the latest legislative developments regarding scams as well as the critical steps FIs should take to implement the anti-scam measures under the MAS-ABS anti-scam initiatives, Guidelines for E-Payments User Protection and Guidelines on SRF, among others. See our LinkedIn post on the seminar here.

* * * * *

LOGO_Wong&Leow_Singapore

© 2024 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information
Stephanie Magnus
Principal
Singapore
Read my Bio
stephanie.magnus@bakermckenzie.com
Eunice Tan
Principal
Singapore
Read my Bio
eunice.tan@bakermckenzie.com
Ying Yi Liew
Local Principal
Singapore
Read my Bio
yingyi.liew@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.

HighQ
Copyright Baker McKenzie 2024 | Disclaimers | Supplemental Privacy Statement