2-11-2023 (SINGAPORE) Singapore’s central bank chief, Ravi Menon, has stated that authorities must adopt the “right approach” before including malware scams in a proposed framework that determines liability for scam losses. In an interview, Menon emphasized the Monetary Authority of Singapore’s (MAS) concern over malware scams and ongoing discussions on safeguards. The MAS and the Infocomm Media Development Authority (IMDA) recently released a consultation paper proposing that negligent financial institutions and telecommunication companies bear responsibility for scam losses. However, the framework currently focuses only on digitally-occurring phishing scams, excluding malware and other scams where victims authorize payments. Menon highlighted the increasing prevalence of malware scams and the need to establish appropriate measures against them before including them in the framework.
Malware scams involve tricking victims into downloading and installing malicious apps that allow fraudsters to control their devices. Police statistics reveal that between January and August, over 1,400 victims lost at least S$20.6 million (US$15 million) to malware scams, with almost half of these occurring in the final two months of the period. While acknowledging the disappointment that malware scams are currently excluded from the shared responsibility framework, Menon stated that discussions with banks are underway to determine safeguards and measures against such scams. Several major retail banks have already implemented anti-malware controls to restrict customer access to apps if potentially risky apps are detected on their phones. Additionally, banks are considering introducing a “money lock” feature to enable customers to block digital transactions from their savings.
Menon acknowledged that these safeguards may cause inconvenience and friction in the consumer banking experience but stressed the trade-off between security and convenience. He urged consumers to understand the need to recalibrate towards security, especially in light of emerging risks such as malware scams. The shared responsibility framework was announced in February 2022, following significant losses to phishing scams conducted via SMS. However, the complexity of the issues involved delayed the release of the draft framework. In addition to financial institutions, the framework includes telcos and infrastructure service providers, making Singapore the first to do so.
The inclusion of telcos in the framework recognizes their role as channels for transmitting SMS messages. As SMS remains a vital tool, addressing gaps in this space is essential. Moreover, authorities are engaged in discussions with social media platforms and other ecosystem players to explore ways in which they can exercise greater responsibility over the use of their platforms. While regulatory levers exist for financial institutions, payment system providers, and telcos, there is limited regulatory control over social media platforms. Expanding the framework to incorporate telcos required extensive consultation to ensure their involvement without unfairly burdening them with liabilities.
The framework, set to be rolled out next year, aims to enhance the accountability of financial institutions and telcos to their consumers while preserving confidence in digital payments and banking in Singapore. The increase in scams, particularly those involving unauthorized transactions, threatens this confidence. Presently, unauthorized transactions account for approximately one-quarter of all scam cases, with the remainder involving authorized transactions like investment and love scams. Menon stressed the importance of addressing these issues promptly to prevent a loss of confidence in the digital economy. He acknowledged the growing anxiety surrounding scams and expressed his personal concern, highlighting the need to find solutions for malware scams.
In a separate discussion, Menon addressed recent service disruptions in several banks, including DBS, Singapore’s largest lender. He stated that the disruptions were not exceptional or significantly worse than disruptions in other countries when assessed based on four criteria set by MAS: frequency of outages, recoverability, communication to customers, and contingency plans. Although disruptions at DBS, with its large customer base, have drawn attention, Menon believes that digital banking disruptions in Singapore are not more frequent than elsewhere. The regulator has imposed restrictions on DBS, prohibiting it from acquiring new business ventures and making non-essential IT changes or reducing its branch and ATM networks for six months. However, Menon expressed confidence in DBS’s ability to resolve the underlying issues due to its strong digital capabilities and commitment to rectifying the problems.
