On 24 October 2024, the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) introduced Shared Responsibility Framework (SRF), instituting clear obligations for Financial Institutions (FIs) and Telecommunication operators (Telcos) to bolster consumer protection against phishing scams. The SRF assigns specific duties to these entities, mandating that they bear the financial consequences of scam losses when they fail to meet prescribed standards. This structured framework aims to ensure consumers have avenues for recourse while also strengthening anti-scam efforts across Singapore’s digital ecosystem.
The SRF framework comes after a lengthy consultation process that began in October 2023, during which MAS and IMDA gathered input from various stakeholders on how to improve accountability in the face of rising phishing attacks. Designed to protect consumers specifically from phishing scams with a clear Singapore nexus, the SRF outlines obligations for FIs and Telcos using a “waterfall” approach, establishing that each entity carries a specific level of responsibility based on their role in the ecosystem. If either party fails to uphold its assigned duties, it is obligated to compensate consumers for the losses incurred, an approach that MAS and IMDA see as necessary for strengthening consumer trust in the digital ecosystem.
Within this framework, responsibilities have been assigned chronologically and logically to ensure consumer protections are covered at every stage. Initially, the framework stipulates five key duties for FIs. The first duty requires FIs to impose a 12-hour cooling-off period when a digital security token is activated, during which no high-risk activities can occur. This delay gives consumers a buffer to detect any unauthorized activities before significant losses can occur. The second duty requires real-time notifications for the activation of digital security tokens and during high-risk account actions, such as logging in on a new device or adding new payees. Closely related is the third duty, which mandates that FIs provide outgoing transaction alerts in real time. Both these notification-based duties are aimed to alert consumers immediately, to enhance vigilance and enable swift action against unauthorised transactions.
The fourth duty mandates FIs to establish a 24/7 reporting channel and a self-service “kill switch,” allowing consumers to quickly halt unauthorized account access. The “kill switch” must be intuitive and readily accessible, ensuring that consumers can effectively safeguard their accounts. Finally, a newly introduced fifth duty requires FIs to implement real-time fraud surveillance, especially targeting situations where a phishing scam may result in a rapid, unauthorized draining of funds. This surveillance is particularly impactful in high-value or high-risk sectors, such as cryptocurrency, where scam tactics often target unsuspecting consumers. In such cases, FIs are expected to block the transaction and contact the customer for confirmation or impose a 24-hour hold, providing an added layer of protection for large sums of money.
Telcos, for their part, have three core duties under the SRF to combat scam-related activities within the SMS ecosystem. Their first duty is to deliver Sender ID SMS only from authorized aggregators, to reduce the risk of spoofed messages. The second duty complements this by requiring Telcos to block all unauthorized Sender ID SMS messages. Finally, Telcos are required to filter SMS messages that contain known malicious URLs, to further reduce phishing risks. Telcos, as conduits for communication, hold secondary but essential responsibilities in preventing phishing scams, especially where scammers utilize SMS as their attack vector.
To ensure that these duties are upheld, the SRF introduces a systematic “waterfall” approach for assessing responsibility. Under this model, FIs are expected to bear the financial consequences first when duties are breached, with Telcos serving in a secondary role. This prioritisation shows the custodial role FIs play over consumer funds, while also acknowledging the supporting role Telcos have in facilitating secure communication. The “waterfall” approach has garnered mixed responses, with some stakeholders suggesting shared responsibility or a liability cap. MAS and IMDA countering the points suggested that this layered approach preserves direct accountability while remaining fair and straightforward for consumers seeking redress.
The SRF outlines a four-stage workflow for handling claims, incorporating stages of claim submission, investigation, outcome communication, and recourse. The FI will serve as the primary contact for consumers throughout this process, coordinating with Telcos as needed. This design aims to ensure that affected consumers have a clear and single communication chain, to reduce confusion and administrative burden during a distressing time. With an efficient claims process in place, consumers impacted by unauthorised transactions can quickly seek recourse and gain access to any financial compensation owed.
MAS and IMDA are taking an adaptable approach with the SRF, continuously evaluating it in light of the rapidly evolving scam landscape. Public feedback has highlighted the need to expand coverage to include other digital service providers, such as messaging platforms and app stores, which are frequently exploited by scammers. This feedback is relevant in the context of cryptocurrency, where scams often occur across multiple channels, including SMS, social media, and messaging platforms. MAS and IMDA acknowledge this need and suggested that as the SRF matures, it may gradually expand to hold these other stakeholders accountable.
According to the MAS & IMDA, government remains committed to public education, as scam prevention ultimately relies on an informed and vigilant consumer base. Recent initiatives like the ScamShield Suite, a one-stop portal providing resources for scam prevention, also reflect a proactive stance toward educating the public. Given the high stakes involved, particularly with scams that target cryptocurrency users, public awareness campaigns and educational resources play an essential role in complementing the SRF’s structural protections.
(Source: https://www.mas.gov.sg/news/media-releases/2024/mas-and-imda-announce-implementation-of-shared-responsibility-framework-from-16-december-2024, https://www.mas.gov.sg/-/media/mas-media-library/publications/consultations/pd/2023/srf/mas-imda-response-to-consultation-on-shared-responsibility-framework.pdf)
