Solutions
Implementation of the new Shared Responsibility Framework and its impact on financial institutions
This article discusses a collaborative approach to cybersecurity and consumer protection in Singapore's financial industry, known as the Shared Responsibility Framework (SRF).
Introduction:
The Shared Responsibility Framework (“SRF”) in Singapore provides a comprehensive approach to the risk management and governance in financial institutions (“FIs”) by introducing enhanced obligations to mitigate scams as well as establishing clear accountability. It outlines the shared responsibilities between FIs and their third-party service providers (“TPSPs”) in ensuring the security of their systems and data.
The SRF is designed to foster a collaborative environment between regulators, FIs, and telecommunication providers (“Telcos”), emphasising shared accountability for risk management and compliance. It promotes a culture of joint effort, where all parties work together to mitigate risks and enhance transparency.
The Guidelines on Shared Responsibility Framework (“SRF Guidelines”) outline shared responsibility for phishing scam losses among FIs, Telcos, and consumers. It applies to those holding customer funds and providing communication infrastructure. The framework specifically targets phishing scams that manipulate consumers into revealing sensitive information through impersonation of legitimate entities. While it aims to enhance consumer protection against these digital scams, it does not cover malware-enabled or non-digital scams, focusing instead on digital fraud and acknowledging the variety of fraudulent activities.
Core obligations for financial institutions
The SRF highlights the duties of account users and responsible FIs, to ensure a common baseline protection from unauthorised or erroneous transactions. With the implementation of the SRF, account users, FIs and Telcos will need to put in place preventive measures to counter digital scams. The realisation of SRF will impact account users, FIs and Telcos to collectively reduce scam risks in the following ways:
- Account users will see an increase in preventive measures by FIs and Telcos on digital security for significant account activities.
- FIs will need to re-look at their current anti-fraud operating model to establish preventive and detective surveillance mechanisms to counter unauthorised transactions and phishing scams.
- Telcos will need to take on shared responsibility for fraud losses and ensure that they put in place scam disruption measures within the Short Message Services (“SMS”) communication networks that reduce the risks of scam SMS being delivered to consumers.
The Waterfall approach and operational workflow
The waterfall approach established by the SRF for determining liability in scam-related losses creates a structured framework for sharing responsibility among FIs, Telcos, and consumers. The key features of the waterfall approach are segregated as follows:
1. Prioritised liability
- FIs: As the first line of defence and primary custodians of consumer funds, if FIs fail to meet their regulatory obligations, such as providing timely transaction notifications, they are held liable for losses.
- Telcos: They must implement measures to prevent fraud. If they do not fulfil their duties, and the FI has complied with its obligations, the Telco bears responsibility for losses.
- Consumers: If both the FI and the Telco have performed their respective tasks and complied with their obligations, the consumer bears the final losses, and no payouts are required by the FI and Telco under the SRF. This structured framework ensures accountability among all parties in the event of scams.
2. Clear accountability
The framework establishes a clear chain of accountability, encouraging both FIs and Telcos to strengthen their fraud prevention efforts.
3. Operational workflow
The framework includes a detailed process for handling claims related to scams. This typically involves assessment of the claim by the FI, collaboration with the Telco, if necessary, investigation of the incident, and communication of the outcome to the consumer.
4. Consumer recourse
In the event customers are not satisfied with the resolution, they can seek further remedies through established channels, such as the Financial Industry Disputes Resolution Centre (“FIDReC”) or Infocomm Media Development Authority (“IMDA”).
The waterfall approach aims to enhance consumer protection by clearly delineating responsibilities and encouraging all parties to implement effective fraud prevention measures. This structured method helps streamline operations, improve accountability, and foster collaboration among stakeholders in the fight against scams.
Impact to FIs
The financial sector will undergo a transformative phase with the introduction of the SRF. This regulatory shift aims to redefine accountability and risk management within FIs, leading to significant implications for governance, operational practices, and customer relations. The following outline the key implications to FIs:
1. Anti-fraud framework
FIs should establish a comprehensive risk management framework that includes specific provisions for fraud risk and are expected to regularly perform fraud risk assessments to identify fraud vulnerabilities in the organisation and tailor its internal controls (both preventive and detective) accordingly. FIs should have in place robust controls that help to facilitate the prevention and detection of unauthorised transactions arising from digital scams. The framework would also need to include the response plan to address incidents of unauthorised transactions through investigations, ensuring accountability to account users and regulatory bodies. This would enable FIs to be able to mitigate the risks arising from digital scams.
2. Roles and responsibilities
The SRF clarifies roles and responsibilities among FIs, Telcos and account users in mitigating the risk of unauthorised transactions. FIs should enhance accountability within the organisation itself. The board and senior management play a critical oversight role in ensuring that robust policies and strategies are in place and updated regularly to mitigate fraud risks. Clear policies and procedures must be established to facilitate the prompt reporting of suspected fraud incidents to the regulatory bodies.
3. Training and upskilling
FIs are expected to re-evaluate their operational frameworks to align with the SRF. This could involve restructuring teams, investing in new technologies, and enhancing training programmes to ensure staff are equipped to handle the new responsibilities. The board and senior management should stay up to date with the latest fraud regulations and guidelines regarding fraud prevention, reporting and ensure that the organisation’s internal controls and anti-fraud framework stay relevant to combat new fraud typologies. Employees should be trained on the use of fraud detection techniques to identify key fraud trends, red flags and suspicious transactions. A culture of fraud awareness through training programmes employees at all levels and continuous training is integral to prevent and detect fraud proactively.
4. Operations – Investigations and outcome
FIs will need to set up an investigation taskforce, independent of business units, to conduct investigations when processing claims on unauthorised transactions. FIs should outline clearly the governance structure of the investigation taskforce as well as the policies and procedures detailing the investigation process and assessment.
5. Operations – Recourse plan
FIs will need to establish a clearly defined recourse plan to address claims pursued by account users in scenarios where the responsible FI has assessed that the claim falls outside of the SRF Guidelines. This would include detailed policies and procedures, clearly defined roles and responsibilities and effective communication strategies to account users, management and regulatory bodies.
6. Tools and technology
The SRF encourages FIs to leverage on technology to improve their risk management processes. This includes adopting advanced analytics and automated systems for real-time monitoring and reporting. Responsible FIs are required to implement the following:
- Real-time fraud surveillance mechanisms to detect unauthorised transactions and phishing scams by June 2025. These include blocking the online banking payment transactions when it crosses a certain threshold until further verification from the account holder as well as sending a notification to the account holder while blocking or holding unauthorised transactions for at least 24 hours.
- 12-hour cooling off period for limiting high-risk activities following the activation of a digital security token on a device or when there is a login to a protected account on a new device.
- Providing real-time notifications and alerts for significant account activities to the account holder when the digital security token is activated, login to protected account on a new device or any high-risk activities performed on a protected account.
- Providing real-time outgoing transaction notification alerts for all outgoing payment transactions.
- 24/7 reporting channel with a self-service feature to promptly block mobile and online access to the account user’s protected account (“kill switch”).
7. Customer awareness
Account users are required to exercise greater cyber hygiene, such as refrain from accessing clickable links in SMS or emails and the need to leverage on official sources for information, while FIs need to look towards building greater awareness for account users to safeguard their account credentials.
Conclusion
The new Shared Responsibility Framework represents a significant evolution in the regulatory landscape for FIs. By promoting shared accountability, enhanced transparency, and a focus on customer interests, the SRF aims to create a more resilient financial system. While the implementation of this framework may pose challenges, it ultimately offers opportunities for institutions to strengthen their operations and foster deeper trust with stakeholders. As FIs and Telcos navigate this new terrain, the commitment to a collaborative and proactive approach will be essential for thriving in the future financial landscape.
Reference Materials
1. The Guidelines on Shared Responsibility Framework is available on the Monetary Authority of Singapore website https://www.mas.gov.sg/regulation/guidelines/guidelines-on-shared-responsibility-framework
2. Consultation Paper on Proposed Shared Responsibility Framework is available on the Monetary Authority of Singapore website consultation-paper-on-proposed-shared-responsibility-framework.pdf
3. A Framework for Equitable Sharing of Losses Arising from Scams
4. MAS and IMDA Consult on Shared Responsibility Framework for Phishing Scams
6. The SRF infographic is available on the Monetary Authority of Singapore website shared-responsibility-framework-infographic.pdf
7. The Operational Workflow for SRF infographic is available on the Monetary Authority of Singapore website infographic-on-operational-workflow-for-shared-responsibility-framework.pdf