Exploring MAS’ framework for equitable sharing of scam losses

The Monetary Authority of Singapore (MAS) is establishing a framework for equitable sharing of scam losses or for the distribution of damages from scams among consumers and financial institutions. The regulator also stated on February 4, 2022, that it is working with the banking industry on “longer-term measures” to improve digital banking security.

Legal experts applauded the action, promoting transparency and boosting customer confidence, especially as more financial services are digitalized. Financial institutions will be held accountable for protecting their clients under the framework through robust controls to safeguard customer accounts and effective methods to detect and respond to suspicious transactions.

Meanwhile, users must take the required safeguards, such as not disclosing personal or financial credentials to outsiders, refraining from clicking on links in SMSs or emails purportedly sent by a bank, and transacting only through the bank’s official website or mobile application.

Also Read: Understanding the mandatory data breach notification of Singapore

MAS’ framework for equitable sharing of scam losses

The proportion of losses that each party bears will be determined by whether and how the party failed to meet its obligations.

“MAS expects financial institutions to treat their customers fairly and bear an appropriate proportion of losses arising from scams. At the same time, care must be taken to ensure that compensation paid to customers does not weaken their incentive for all to be vigilant,”

MAS

According to the Payments Council, chaired by MAS, it has been working on the framework since July 2021. It intends to publish the framework for public comment within the next three months. Aside from loss sharing, the consultation will also address the duties of other major players in the system.

The MAS statements come after almost 800 OCBC customers lost a total of S$13.7 million. This was after scammers impersonated the bank and duped victims into handing over their online banking log-in data using antiquated short message service (SMS) technology.

On February 4, the regulator also stated that OCBC’s recent goodwill payouts to fully cover customer losses were a “one-time gesture” and did not set a general precedent for future cases. The circumstances surrounding these reimbursements include the bank’s analysis of how it had not met its own customer service goals and thus do not create a general precedent for future situations.

Associate Professor Christian Hofmann, head of financial regulation and central banking at the National University of Singapore’s (NUS) Centre for Banking & Finance Law, praised the initiative for filling a “problematic regulatory vacuum” in the area of fraudulent payment transactions in Singapore and bringing the city-state up to par with other jurisdictions such as the European Union, which has had rules in place for over a decade.

According to Hofmann, MAS should distinguish between different sorts of fraudulent attacks when developing the framework. For example, recent phishing attacks elicited client responses that facilitated fraudulent transactions. In these cases, depending on their behavior, the question of whether customers were negligent can be answered. He says that reasons to hold customers accountable will be even less likely in virus cases because these transactions are not influenced by human behavior.

Wilson Ang, partner and head of regulatory compliance and investigations at Norton Rose Fulbright (Asia), stated that a party that was “obviously or persistently negligent, or suffered an obvious error in judgment or procedure” should be prepared to accept further responsibility. Other factors the framework should assess are whether preventive actions were taken, post-incident mitigating efforts, and the party’s financial ability to bear the responsibility.

According to him, MAS will have to decide whether such a framework should be mandatory or voluntary, as is the case with the UK’s Contingent Reimbursement Model. However, having a framework “improves customer confidence and avoids the erroneous idea that banks will always offer 100% compensation to victims,” Ang noted.

However, as significant commercial entities, banks may be held to “greater and tougher standards” in terms of installing and updating security measures, as well as reaction to breaches, according to lawyer Amolat Singh. Customers considered to have acted in ways that no average, rational person would have, such as out of sheer avarice, resulting in a successful fraud, however, would bear a greater part of the culpability, he said.

According to NUS law professor Kelvin FK Low, the framework should incentivize parties to limit the occurrence of fraud in the first place. “It is not rational to expect all clients never to fall victim to frauds,” he says, “yet it would be appropriate to allocate losses to them if they had proven extreme negligence.

Also Read: What you need to know about appointing Data Protection Officer in Singapore