Illustration of person closing bank vault with Singaporean flag in foreground- demonstration of how Asia banks can secure themselves from fraud by following the Singapore SRF framework

The Asian banking sector is increasingly concerned about phishing scams. Scammers cleverly design these scams to trick customers into making authorized transactions. But could a proposed Shared Responsibility Framework (SRF) in Singapore offer a fairer division of responsibility and ultimately deliver better consumer results?

The rise in phishing scams isn’t just minor setbacks; they’re serious breaches that can shake trust in digital banking and payment systems. Consider the 2021 phishing attack on OCBC Bank, for example. It was a clear signal that the banking industry needed to buckle down to address these vulnerabilities.

The battle against financial fraud is ongoing, and Asian banks are stepping up their defenses. They’re not just chasing down and closing fraudulent websites; they’re also tightening up their banking regulations. Banks have made good progress. But scammers are always getting smarter. That’s why banks must work together to fight them.

That’s where the Shared Responsibility Framework comes into play, offering a clear strategy to protect our financial well-being. The SRF proposal comes from the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) and is a testament to proactive governance. It extends the principles laid by the Payments Council, casting a broader net to safeguard consumers from ever-persistent phishing scams.

For Singapore, SRF Ushers in Era of Accountability

But the Singapore SRF isn’t just a set of guidelines. It’s a trailblazing shift towards accountability, particularly the novel concept of holding telco providers partially liable. Much like Australia’s emerging joint liability scheme, the notion that carriers should bear responsibility alongside financial institutions (FIs) is a direct response to calls for tighter security measures.

Financial Institutions’ Duties Under SRF

The SRF’s blueprint outlines clear duties for both FIs and telcos. For FIs, it’s about diligence and preemptive measures: a 12-hour cooling-off period after issuing digital tokens is a tactical pause to hinder the rush of scammers. It’s about enabling customers with real-time alerts for token activation and transactions, ensuring they’re the gatekeepers of their digital activity. And in dire straits, a “kill switch” empowers customers to halt transactions in their tracks. This offers an emergency brake to avoid potential financial calamity.

Table titled
Table titled

Telcos’ Duties Under SRF

For telcos, the duty is one of vigilance—connecting only with authorized SMS aggregators, blocking rogue sources, and weaving anti-scam filters to capture phishing links in SMS. With the SRF, Singapore is making its stance clear: Telcos should compensate customers for breaches, a policy that exemplifies accountability.

Consumer Duties Under SRF

The SRF also recognizes the power and responsibility of consumers. It encourages good cyber hygiene practices, mindful sharing of personal details, and a discerning eye for suspicious links in messages.

Malware Limitations of the SRF

Yet, the SRF has its limitations. Malware-enabled scams remain outside its scope, for now, a recognition of the complexity and novelty of such threats. This isn’t an oversight but an acknowledgment that defenses must evolve in line with the dangers faced.

3 Things Banks Can Do to Prepare for the SRF

The SRF isn’t just a framework; it’s a call to arms—a collective rallying cry for banks, telcos, and consumers to stand guard over our digital horizons. As we await the unfolding of this proposal and potential payouts for scam victims under this framework, here are three things banks should do today to prepare for the SRF:

1. Enhance Real-Time Detection Capabilities: 

  • Amplify AI and Machine Learning: Banks should leverage advanced analytics tools—including artificial intelligence and machine learning—to detect and prevent phishing and other fraudulent activities in real time. By investing in these technologies, banks can analyze customer behavior patterns and identify anomalies that may indicate a scam or unauthorized transaction. At the same time, banks should enhance existing AI and machine learning systems with contextual information such as risk analytics.
  • Implement Adaptive Authentication: Encourage the adoption of adaptive authentication processes that evaluate the risk level of transactions in real time. This could include factors like device fingerprinting, geolocation, and the customer’s typical transaction behavior to assess the legitimacy of each transaction before it’s processed. It also improves the overall customer experience by removing unnecessary authentication checks and minimizing friction.

2. Strengthen Customer Communication and Education: 

  • Immediate Alerts: Develop robust communication channels for immediate customer alerts regarding token activation and transactions. This includes ensuring notifications are prompt, clear, and actionable, allowing customers to understand and respond effectively if they identify a transaction they did not authorize.
  • Educational Campaigns: Conduct ongoing customer education campaigns about phishing scams and the importance of cyber hygiene. Banks should inform customers about the new measures being put in place under the SRF and provide clear guidelines on how customers can contribute to safeguarding their accounts.
  • Offer Whitebox Explainability: Understanding why decisions are reached is critical for any communication efforts to be effective. Banks must ensure they offer Whitebox explainability to provide transparency in the decision-making process. This transparency should reach front-office teams to help them better engage and advise customers in their time of need.

3. Review and Update Operational Protocols:

  • Operational Readiness: Banks must review and potentially overhaul their internal operational protocols to comply with the SRF. This includes establishing processes for the proposed 12-hour cooling-off period and ensuring that systems can effectively support the “kill switch” function for customers to lock down their accounts if fraud is suspected immediately.
  • Cross-Industry Collaboration: Proactively engage with telecommunications companies to ensure compliance with the SRF’s expectations for telco responsibilities. This collaboration is crucial for implementing anti-scam filters and for the swift action required to block unauthorized sources, as outlined by the SRF.

By focusing on these three areas, banks can align with the SRF’s objectives and enhance their fraud prevention systems to better protect themselves and their customers from the risks associated with digitally enabled scams, whatever their source.