Singapore may split liability for phishing losses between banks and victims – Source: go.theregister.com

Singapore officials announced on Monday that next month they will deliver a consultation paper detailing a split liability scheme that will mean both consumers and banks are on the hook for financial losses flowing from scams.

It is an answer to a common question these days: in a world of rampant payment and transfer scams, who is responsible?

Countries like Australia have also considered shared loss schemes. Meanwhile, the European Commission has proposed a “refund” to victims of certain types of fraud, including authorized push payment scams.

Starting next year, the UK will enforce mandatory reimbursement by banks to scam victims up to one million pounds – with the sending and receiving banks sharing the bill.

Singapore’s minister of state Alvin Tan has a different view.

“There are some views that banks can easily absorb losses arising from individual scam cases. However, full restitution without due consideration of culpability is neither fair nor desirable,” he told Parliament on Monday.

A draft of Singapore’s shared responsibility framework was originally intended to be complete in the first half of 2023. Tan admitted on Monday the process had taken longer than the government would like, but a version detailing responses to phishing scams should be completed next month.

• South Korea relieved US China chip ban won’t bite, as Beijing fumes
• Interpol arrests 14 who allegedly scammed $40m from victims in ‘cyber surge’
• Tech support scammers go analog, ask victims to mail bundles of cash
• Singapore monetary authority threatens action on bank over widespread phishing scam

Singaporean authorities first floated a a shared liability strategy in February 2022 after threat actors stole a combined SG$13.7 million ($10.2 million) from around 800 customers of a single bank by spoofing text messages.

At first, Oversea-Chinese Banking Corporation (OCBC) offered “goodwill” payments to a paltry 6.4 percent of victims, but after the Monetary Authority of Singapore (MAS) threatened action, it changed its tune and said it would issue “full goodwill payouts” to all victims.

The sheer magnitude of the required payout left the city-state to rethink its anti-scam measures.

Then-minister of finance – now deputy prime minister – Lawrence Wong said in the future, customers and banks would have a shared responsibility for any losses in order to prevent a “weaken[ed] incentive to be vigilant” on the part of the customer.

The MAS currently requires banks to secure digital systems, including with multi-factor authentication for online purchase. Banks are also required to send alerts for some transactions and have been given guidance on handling and investigating disputes. Those efforts are supervised by MAS. But all the efforts prove no match for motivated social engineers.

“In scam cases, banks must consider if they have fulfilled their obligations, and whether the victim had acted responsibly. Customers who practised good cyber hygiene and were diligent in preventing their login information and [one-time passwords] from being divulged to third parties, should not have to bear losses,” said Tan.

In the current process, unhappy customers can pursue the case in court, while others can agree to the terms and conditions associated with any payout.

The resulting agreements usually mean financial disappointment and a nondisclosure agreement – which many victims do begrudgingly, pointed out parliament member Sylvia Lim.

Lim advocated for a system similar to that of the UK, to give consumers more confidence in their transactions. ®