A new joint consultation from the Monetary Authority of Singapore (MAS) and Singapore’s Infocomm Media Development Authority (IMDA) asks if telcos and financial institutions should both be required to compensate victims of SMS phishing scams, also known as smishing. The introduction to the consultation paper sets the scene:
This consultation sets out a proposed Shared Responsibility Framework (SRF) for sharing responsibility for scam losses amongst financial institutions (FIs), telecommunication operators (Telcos) and consumers, for unauthorised transactions arising from phishing scams. FIs and Telcos will provide payouts to scam victims for a defined set of phishing scams, if specified anti-scam duties are breached. The SRF will provide a more expedient channel for consumer recourse once it is operationalised next year.
The consultation talks about phishing but makes particular reference to the use of SMS to authenticate customers and transactions. The dependence of banks on SMS has spawned a criminal industry focused on hijacking phone services or fooling consumers into revealing one-time passcodes. The consultation focuses on the impersonation of reputable businesses and government functions rather than the multitude of other scams that occur online or over the phone.
There are three main aspects to the framework:
- A clear statement of the duties of both telcos and financial institutions
- Creating an obligation to compensate victims without needing regulators to intervene
- Also stipulating what victims should have done to protect themselves
Telcos are obliged to do the following:
- Only allow authorized aggregators to send A2P SMS messages
- Block other SMS messages
- Scan SMS messages and block those containing known malicious URLs
Financial institutions have separate responsibilities that include a 12-hour delay between activating a security token on a new device and customers being able to engage in any ‘high-risk’ activities. This couples with a requirement to immediately notify customers of the activation of security tokens and high-risk activities.
Liability for compensating customers will be determined according to a strict sequence. If a financial institution has failed to meet any of their obligations per the framework then it will have to fully compensate an affected customer, irrespective of any telco failings. The telco will have to fully compensate customers if the financial institution has complied with all its obligations but the telco has not. Neither will be held liable for any consumer losses if all the requirements of the framework have been satisfied.
Singapore has emerged as a global leader in preventing scam communications. They have been aggressive in the way they have imposed a SenderID registry for SMS messages, and last year the Singapore Police Force created an Anti-Scam Command Office. Regulators in other countries should also monitor the response to this latest consultation as they should consider emulating the Shared Responsibility Framework if it receives broad support. Businesses should be open to accepting anti-fraud frameworks like these which create responsibilities for them but which also define the limit of their responsibilities.