New Framework to Provide Compensation to Scam Victims in Singapore

Man giving woman money

In the first half of 2023 alone, scam victims in Singapore have been cheated out of a total amount of approximately S$334.5 million. Over 22,000 scam cases have been reported, comprising e-commerce scams, job scams as well as phishing scams. Scammers have approached their victims via popular messaging platforms (e.g. WhatsApp and Telegram), social media, and online shopping platforms, as well as phone calls and SMSes.

To combat the rise in scams and help mitigate some of the losses suffered by scam victims, the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) have proposed a Shared Responsibility Framework (SRF) for digitally enabled phishing scams. The SRF is still in the draft stage and has just been published for public consultation and feedback.

This article will cover the following topics:

What is the Proposed Shared Responsibility Framework?

The SRF targets digitally enabled phishing scams. Phishing scams are scams that typically start with a scammer contacting a consumer and gaining the consumer’s trust by impersonating official and legitimate entities (e.g. government ministries, financial institutions like banks). The scammer will then provide a link to the consumer through a digital messaging platform (e.g. SMS), which redirects the consumer to a fabricated digital platform (e.g. a fake website). The consumer will be asked to enter his/her account credentials, and the scammer then uses those credentials to take over the consumer’s account and perform unauthorised transactions.

The phishing scams covered by the SRF should also have a clear connection to Singapore. For example, the entities impersonated should be based in Singapore, or based overseas but known to offer their services in Singapore. The requirement of a clear connection to Singapore is in line with the policy objective of preserving confidence in digital payments and digital banking in Singapore.

The overriding aim of the SRF is to reduce the risk of phishing scams with a connection to Singapore that happen digitally, by strengthening the direct accountability of the relevant stakeholders – primarily financial institutions and telecommunication companies. Under the proposed SRF, additional duties will be imposed on financial institutions and telecommunication companies to mitigate phishing scams and they will be required to make pay-outs to affected scam victims if they fall short of and breach those duties.

As mentioned, the proposed SRF will only cover phishing scams. It will not cover the following:

  • Scams where victims authorise payments to the scammer, i.e. where the victims have been deceived but intend to perform payment transactions to the scammers at the time of such transactions. These scams require a different approach to dealing with them, as the victim intended to perform the transaction. Further, such scams do not fundamentally affect confidence in digital payments or digital banking, since they can also happen in the non-digital world.
  • Scams where consumers are deceived into giving away their credentials via non-digital means (e.g. face to face, or via phone).
  • Unauthorised transaction scams that do not involve phishing (i.e. hacking, identity theft, malware scams)

The concept of a shared responsibility model to combat scams is not unheard of. For example, in the United Kingdom, from 2024 onwards, banks and other payment service providers will be required to reimburse their customers who fall victim to authorised push payment fraud, provided certain conditions are met. Examples of such conditions include that the claims have to be submitted within 13 months after the final payment to the fraudster, and the customer must not have acted fraudulently or with gross negligence.

In Australia, government agencies are also considering legislative changes which would hold banks, telecommunication companies, and social media platforms responsible for ensuring scam safety, by, amongst others, making them liable to reimbursing scam victims who have lost money.

Multinational corporations have also adopted shared responsibility models in their interactions with consumers. For example, Amazon has in place a shared model which distributes responsibility for operational security between itself and the consumers using its services. Under Amazon’s shared responsibility model, Amazon is responsible for the security of the AWS Cloud, i.e. protecting the infrastructure that runs all the services offered in the AWS Cloud, whereas the consumer is responsible for the security in the AWS Cloud in respect of their own guest operating systems, databases and applications, e.g. configuring the provided firewall for the consumer’s needs, managing and keeping up to date with security patches etc.

What are the key features of the proposed Shared Responsibility Framework?

One main feature of the proposed SRF is that it follows a “waterfall” approach to determine which party will bear responsibility for the losses suffered by scam victims:

  1. At the top of the “waterfall” are the financial institutions, which hold the greatest responsibilities as the custodians of consumers’ monies and as gatekeepers against the outflow of monies from consumers’ accounts due to scams. Thus, if financial institutions fail to discharge their prescribed duties, they will be expected to bear the full loss suffered. However, if the financial institutions have fulfilled their duties, then the responsibility “spills over” the edge of the “waterfall” to the next stakeholder.
  2. In the middle tier of the “waterfall” are the telecommunication companies, which play more of a supporting role as infrastructure providers for the means through which financial institutions officially communicate with their consumers and send authorisation access codes (e.g., via SMS). If telecommunication companies fall short of their prescribed duties, they will then bear the full loss suffered. However, as above, if the telecommunication companies have fulfilled their duties, then the responsibility will lie solely with the last stakeholder, and no pay-outs will be made under the SRF.
  3. At the bottom of the “waterfall” are the consumers themselves. Consumers are expected to remain vigilant at all times and protect themselves from falling for potential scams by avoiding unsolicited, suspicious links.

A second key feature of the proposed SRF is the imposition of different sets of duties for financial institutions and telecommunication companies, which recognises the different roles that they play in the ecosystem of combatting scams. The table below sets out these differentiated duties imposed on financial institutions and telecommunication companies, as well as the general aims of imposing such duties:

Financial Institutions (FIs) Telecommunication Companies (Telcos)
Aims
  • To ensure that FIs put in place communication channels to keep consumers informed when transactions or high-risk activities are performed on their account.
  • To ensure that FIs put in place safeguards to mitigate consumers’ exposure to scam losses when their accounts are compromised.
  • To ensure that Telcos put in place scam disruption measures to reduce the risks of scam SMS being sent to consumers.
Duties
  • FIs must impose a 12-hour cooling-off period upon the activation of a digital security token. During this period, high-risk activities cannot be performed (e.g. adding new payees, increasing transaction limits, changing contact information).
  • FIs must provide real-time notification alert(s) for the activation of digital security tokens and conduct of high-risk activities.
  • FIs must provide real-time notification alerts for outgoing transactions.
  • FIs must provide an all-day (24/7) reporting channel and self-service feature for consumers to report and immediately block unauthorised access to their accounts, i.e. a “kill switch”.
  • Telcos must deliver SMS messages with alphanumeric Sender IDs (e.g. Apple, DBS Bank) to subscribers only if they originate from authorised and licensed SMS aggregators, to ensure that the SMS messages originate from registered senders. SMS aggregators are organisations with the technology to collect large volumes of SMSes from brands and distribute them to telcos for delivery to the end consumer’s device. The IMDA maintains a list of licensed SMS aggregators.
  • Telcos must block SMS messages with alphanumeric Sender IDs that do not originate from authorised and licensed SMS aggregators.
  • Telcos must implement an anti-scam filter over all SMS to block SMS with known phishing links.

The following six potential scenarios illustrate how the proposed SRF will work, and when consumers can expect to receive a payout, or when they will likely have to bear the costs of falling prey to scams:

  • Investment Scams
    • Scenario: A victim comes across a supposed investment opportunity on Facebook but it turns out to be an investment scam. The scammer instructs the victim to make bank transfers, and the victim does so. All the while, the victim continues to receive real-time SMS transaction notifications.
    • Likely outcome: It is likely that the consumer will have to bear the full loss, as the financial institution where the victim has an account fulfilled its duty of providing real-time notification alerts and the telecommunication companies have also not breached any of their SRF duties. The consumer has also “authorised” the transaction.
  1. Fake Sales Online
    • Scenario: A victim comes into contact with a fake furniture seller located overseas via WhatsApp. The victim enters his/her account credentials on a fake digital platform provided by the scammer, and in doing so, unwittingly provides the scammer with the details that he/she needs to steal the victim’s money.
    • Likely outcome: The consumer will likely have to bear the full loss, as the scam does not have a connection to Singapore. The scammer is not based in Singapore, nor is it a foreign brand known to offer services in Singapore.
  2. Bank Disruptions
    • Scenario: A victim falls for a phishing scam during a bank disruption (i.e. the period of time where the bank’s digital services are down).
    • Likely outcome: The bank will bear the full loss, as the disruption in services means that the bank is unable to fulfil its SRF duties or provide real-time notification alerts, a 12-hour cooling period for high-risk activities, and the availability of a kill-switch.
  3. Bank Impersonation
    • Scenario: A victim received an SMS with the alphanumeric sender ID “DBS Bank” through an overseas network operator connected to a local telecommunication company. The telecommunication company does not block this SMS. The victim is tricked into clicking a link that brings him/her to a fake website where he keys in his bank account credentials. The scammer then uses these credentials to make unauthorised transactions.
    • Likely outcome: The telecommunication company will bear the full loss, and it failed to block SMSes with alphanumeric Sender IDs that are not from participating aggregators.
  4. Malware Scams
    • Scenario: A victim is tricked by a scammer into downloading a third-party application. The application allows the scammer to remotely view the victim’s login credentials and control his/her device to make fraudulent transactions.
    • Likely outcome: The consumer will likely have to bear the full loss, as the scam does not fall within the definition of a digitally enabled phishing scam.
  5. Transactions dealt with Individually
    • Scenario: After a victim falls for a phishing scam over SMS, several fraudulent transactions are made from the victim’s bank account. The bank initially notifies the victim of the transactions but fails to alert the victim of the subsequent transactions as the system is down. The telecommunication company also allowed a non-authorised aggregator to send the SMSes.
    • Likely outcome: As each fraudulent transaction is individually assessed, the telecommunication company may be asked to reimburse the victim over the messages transmitted from non-authorised aggregators (in breach of the telecommunication company’s SRF duties). The bank will be held responsible for not notifying the victim during the bank disruption (in breach of the bank’s SRF duties).

What is the Claims Process Under the Proposed Shared Responsibility Framework for Victims Who are Entitled to Receive Payouts/Compensation?

The entire claims process can be broadly understood in four phases; the financial institutions will be the main point of communication with the consumers:

Claims Stage
  • The consumer will file a claim with the responsible financial institution (FI).
  • Within 3 calendar days of filing a claim, the consumer must provide the necessary information (e.g. valid contact information, police report reporting the scam, communication records between the scammer and the consumer). In other words, the consumer should file a police report as soon as he/she is made aware of the scam, so that he/she has the information on hand when filing the claim.
  • The responsible FI will assess whether the claim falls within the SRF’s scope and inform the responsible telecommunication company (Telco) where applicable.
Investigation Stage
  • The responsible FI and responsible Telco will investigate to determine what has happened and assess:
    • Whether the claim falls within the SRF.
    • Whether the responsible FI has breached its SRF duties.
    • Whether the responsible Telco has breached its SRF duties.
    • Whether any payout should be made to the consumer under the SRF, and who should be responsible for making this payout.
Outcome Stage
  • The responsible FI will inform and explain the outcome of the investigation to the consumer.
Recourse Stage
  • If the consumer is not satisfied with the outcome of the investigation, the consumer may pursue further action.

At the recourse stage, the consumer can pursue further action via the following means:

  1. If the consumer is dissatisfied with the responsible telecommunication company’s investigation outcome, the consumer can file a complaint with IMDA. IMDA will then assess whether the responsible telecommunication company has breached its SRF duties.
  2. If the consumer disagrees with the responsible financial institution’s investigation outcome, the consumer can approach the Financial Industry Disputes Resolution Centre Ltd (FIDReC). FIDReC is an independent dispute resolution body that resolves consumer financial disputes through mediation and adjudication. Apart from assessing whether the responsible financial institution has breached its SRF duties, FIDReC will also assess whether non-SRF-related obligations were breached (e.g. obligations under statute, common law, or duties under MAS’ E-payments User Protection Guidelines (EUPG)).
  3. Lastly, the consumer can also file a claim with the courts, if he/she is dissatisfied with the investigation outcomes by either or both the responsible financial institution and/or telecommunication company.

At the moment, prior to the finalisation of the proposed SRF, if you happen to fall victim to a scam, you can also opt to pursue the following remedies to try to recover the monies that you have lost:

  • You should first call the dedicated anti-scam telephone helpline managed by the National Crime Prevention Council and the Singapore Police Force, at 1800-722-6688. You will be able to obtain advice and information on the next steps that you can take in your situation.
  • You can also file a police report, with the information that you have on hand regarding the scam. Examples of the information that you should collate prior to filing a police report are screenshots of your conversations with the scammer, details of any transactions that you may have made and the scammer’s contact information. The police will then investigate the matter.
  • If you have been scammed on an e-commerce platform, you can also approach the platform administrators directly, who may be able to assist you.
  • If you have enough information about the scammer (e.g. you know his/her identity, whereabouts etc.), you may even wish to pursue a civil claim against the scammer to recover the monies that you have lost, or to report the scammer to the Consumers Association of Singapore (CASE), who can help you with resolving your dispute. If your dispute is a consumer-to-business dispute (i.e. a dispute between yourself and a business, such as a financial institution or telecommunication company), CASE can assist you by liaising with the business directly to work towards an amicable settlement.

How Might the Proposed Shared Responsibility Framework Interplay With Other Current Legislation in Singapore Governing Scams?

The proposed SRF is meant to add to and complement other existing legislation in Singapore governing scams, such as:

  • The Online Criminal Harms Act (OCHA), which is a piece of legislation that targets online content used to facilitate scams and other malicious cyber activities. Under the OCHA, the government can order websites, apps and online accounts to be taken down if they are suspected of being used for criminal activities.
  • The Computer Misuse Act (CMA) and the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA), which contains provisions that allow the police to act swiftly against individuals who share their Singpass login or bank account details with scammers.

– –

In conclusion, the proposed SRF puts in place a system for allocation of responsibility in the event of a scam, so that consumers do not end up being the ones bearing the brunt of the effects of the scam losses, especially where financial institutions and telecommunication companies could have done more to prevent the scam from happening.

The proposed SRF imposes calibrated duties on financial institutions and telecommunication companies according to their respective roles in fighting scams, but still incentivises consumers to remain vigilant and not let their guard down.

If you have fallen victim to a scam, you can seek further guidance or advice from a lawyer, who can advise you on what you can do next. A lawyer would also be able to advise you on whether it would be worthwhile or even possible to pursue a civil claim against the scammer, to recover the monies that you have lost.