20.5k unique visitors in the last 3 days

Singapore Proposes Telcos and Banks Will Share Liability for Smishing Losses

Telcos would need to fully compensate victims if banks met their obligations but the telco did not block malicious SMS messages.

A new joint consultation from the Monetary Authority of Singapore (MAS) and Singapore’s Infocomm Media Development Authority (IMDA) asks if telcos and financial institutions should both be required to compensate victims of SMS phishing scams, also known as smishing. The introduction to the consultation paper sets the scene:

This consultation sets out a proposed Shared Responsibility Framework (SRF) for sharing responsibility for scam losses amongst financial institutions (FIs), telecommunication operators (Telcos) and consumers, for unauthorised transactions arising from phishing scams. FIs and Telcos will provide payouts to scam victims for a defined set of phishing scams, if specified anti-scam duties are breached. The SRF will provide a more expedient channel for consumer recourse once it is operationalised next year.

The consultation talks about phishing but makes particular reference to the use of SMS to authenticate customers and transactions. The dependence of banks on SMS has spawned a criminal industry focused on hijacking phone services or fooling consumers into revealing one-time passcodes. The consultation focuses on the impersonation of reputable businesses and government functions rather than the multitude of other scams that occur online or over the phone.

There are three main aspects to the framework:

  1. A clear statement of the duties of both telcos and financial institutions
  2. Creating an obligation to compensate victims without needing regulators to intervene
  3. Also stipulating what victims should have done to protect themselves

Telcos are obliged to do the following:

  • Only allow authorized aggregators to send A2P SMS messages
  • Block other SMS messages
  • Scan SMS messages and block those containing known malicious URLs

Financial institutions have separate responsibilities that include a 12-hour delay between activating a security token on a new device and customers being able to engage in any ‘high-risk’ activities. This couples with a requirement to immediately notify customers of the activation of security tokens and high-risk activities.

Liability for compensating customers will be determined according to a strict sequence. If a financial institution has failed to meet any of their obligations per the framework then it will have to fully compensate an affected customer, irrespective of any telco failings. The telco will have to fully compensate customers if the financial institution has complied with all its obligations but the telco has not. Neither will be held liable for any consumer losses if all the requirements of the framework have been satisfied.

Singapore has emerged as a global leader in preventing scam communications. They have been aggressive in the way they have imposed a SenderID registry for SMS messages, and last year the Singapore Police Force created an Anti-Scam Command Office. Regulators in other countries should also monitor the response to this latest consultation as they should consider emulating the Shared Responsibility Framework if it receives broad support. Businesses should be open to accepting anti-fraud frameworks like these which create responsibilities for them but which also define the limit of their responsibilities.

The consultation documents can be found at the IMDA’s website here. Responses should be submitted by December 20 using this form.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email