Almost three years after high-profile OCBC scam cases grabbed the headlines, consumers in Singapore now have a small measure of protection with new regulations unveiled yesterday.
A few framework, in the works for several years now, makes financial institutions and telecom operators liable to pay phishing scam victims in full should they fall short of a new set of responsibilities.
Many of these responsibilities, including a cooling-off period for the activation of digital security tokens and a 24/7 reporting channel for banks, and allowing only authorised senders of SMSes for telcos, have already been implemented in recent years.
What’s new for banks and payment providers to do, crucially, is the setting up of real-time fraud surveillance to detect unauthorised transactions involving “material sums”.
This material sum refers to S$50,000 or more in an account, so if half or more of that amount is being transferred out in 24 hours, a bank is expected to either block the transaction or hold it until it can reach the customer, reported CNA.
The Monetary Authority of Singapore, which announced the new rules along with the Infocomm Media Development Authority yesterday, said the public had sought additional fraud detection from banks.
You would say that is one of the easiest-to-meet and fairest requests, considering the number of scam cases in Singapore where victims are unable to react to entire accounts of their precious savings being drained in mere minutes.
This also means banks cannot just throw their hands up and say their systems have not been breached and their perimeter defences and firewalls have kept out intruders.
When 790 victims lost S$13.7 million in the OCBC scam back in late 2021, the bank was quick to say its anti-fraud systems were working fine.
Yet, the victims were right to ask why the bank had not stopped to question the unusual behaviour of accounts being suddenly emptied, especially when hundreds of cases happened over more than a week.
Eventually, under public pressure, OCBC fully reimbused the victims in what it called a “goodwill gesture”.
Well, now there won’t be any goodwill necessary if a bank is found to have failed in its job to protect customers. That job is made clearer now and a bank will be liable to compensate a victim if it had breached its duties.
This is an improvement for consumers because they would not have to seek out a lawyer – after losing all their savings – to sue a bank that is backed by a lot more legal muscle.
To be sure, the scope of a bank’s duty of care is narrowly defined, but this should be a first step. It is an acknowledgement that banks can’t simply enjoy the benefits of digitalisation while pushing the risks onto consumers.
Starting from December, these financial institutions in Singapore will have six months to roll out systems to meet requirements of the new framework.
Other countries also have regulations or are in the process of drawing them up, to better protect consumers from the growing scourge of scams.
Each country will have its priorities. Britain, for example, has put the onus on banks to beef up security and stop fraud, by making them pay victims up to £85,000 within five days.
Notably, Singapore’s new rules are clear that a consumer will bear the full losses if the banks and telcos have done their jobs.
So, a consumer is at fault, for example, for mistakenly sending funds to a scammer if the bank has already warned about the transfer being made. Plus, account owners with less than S$50,000 will not get the same protection.
This means a huge chunk of the responsibility still falls on the individual to be wary of scams and take measures to avoid being a victim.
One way is to be aware of current scam tactics used by criminals; another is to be safer than sorry when it comes to keying in user credentials and approving transactions. That’s the first line of defence against a growing menace that has become hard to arrest.
In Singapore, scam losses are expected to be rise beyond a record S$770 million by the end of this year. That’s more than S$2.1 million lost a day.
