Cybercrime , Finance & Banking , Fraud Management & Cybercrime
Singapore Requires Banks, Telecoms to Prevent Scams
SMS Impersonation Scam Victims Must Be Made WholeSingapore regulators gave banks six months to institute real-time detection tools for blocking impersonation scams or else assume liability for stolen funds. A finalized framework published Thursday also shifts liability onto island-nation telecoms unless they block fraudulent SMS messages.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The regulation seeks to stymie scammers masquerading as government agencies or legitimate businesses who wipe out victims' accounts. Singapore police in February reported a nearly 50% increase in scams during 2023 when compared to the previous year, resulting in losses of nearly SG$652 million - approximately $484 million.
The "shared responsibility framework" from the Monetary Authority of Singapore and the Infocomm Media Development Authority establishes what regulators dub a "waterfall" approach to making victims whole again. Financial institutions that don't institute controls automatically assume liability. If they comply, regulators will investigate telecoms for possible violations of the new framework. Only when both institutions hew to the regulations will consumers be liable.
Regulators said the framework will take effect on Dec. 16 but gave banks until mid-2025 to implement real-time controls for blocking scammer-initiated transactions whenever fraudsters seek to take more than half of an account balance within 24 hours or if the targeted account holds more than SG$50,000.
The regulations will likely make it harder for consumers to engage in high-value transactions, acknowledged Ho Hern Shin, a monetary authority deputy managing director. "This additional friction is necessary to protect customers," she said.
New obligations for financial institutions include imposing a 12-hour cooling-off period triggered when users activate a digital security token or after detecting a login into a protected account issued by a payment service provider from a new device. Financial institutions must also notify account holders of suspicious activity and provide a portal for consumers to block access to their accounts.
Regulators ordered telecoms to only display the sender’s name on SMS messages if the text originates with a registered, authorized aggregator. It also told them to block SMS messages containing known malicious URLs.
The framework doesn't cover all scams. Regulators said they've excluded malware-enabled scams, malvertising and account-draining scams that depend on harvesting credentials through non-digital means, such as over the phone or through in-person interaction.
The Monetary Authority of Singapore's Shin said the agency is considering additional measures to safeguard digital banking such as requiring banks to use FIDO-compliant authentication tokens.