Reply to Adjournment Motion on “Losses from Scams and Malware Fraud: Doing Right by Bank Customers” by Mr Alvin Tan, Minister of State, Ministry of Trade and Industry and Ministry of Culture, Community and Youth, and Board member of MAS, on behalf of Mr Lawrence Wong, Deputy Prime Minister and Minister for Finance, and Chairman of MAS, on 18 September 2023
1. Mr Speaker, I thank the Member for tabling today’s Motion.
2. I share her concerns over losses suffered from scams, as do other members in this House. Over the past year, Dr Tan Wu Meng and Ms Yeo Wan Ling raised questions on the avenues of recourse for customers who suffer losses from scams; Mr Saktiandi Supaat and Dr Lim Wee Kiak also asked about the status of the Shared Responsibility Framework.
3. Let me touch on our broad strategy to fight scams, before highlighting ongoing efforts by Government and banks against more concerning scam typologies. I will then share the avenues that customers have for recourse and provide an update on the Shared Responsibility Framework.
SINGAPORE'S BROAD STRATEGY TO COMBAT SCAMS
4. Singapore adopts a three-pronged strategy to fight scams.
a. First, upstream measures, such as the ScamShield mobile app to filter and block scam messages and calls, and the SMS Sender ID Registry regime to label non-registered senders with the “Likely-SCAM” label.
b. Second, downstream measures; these include bank measures implemented last year.
c. Third, public education, through public advisories and sharing best practices to fight scams.
5. Our collective efforts are showing some encouraging signs. Total amount of scam losses decreased slightly in the first half of 2023, compared to the same period in 2022.
6. Nevertheless, the scam situation remains serious. With more of us transacting digitally, bad actors are adopting increasingly sophisticated methods to target victims. We must constantly sharpen our approach to fight scams in this rapidly evolving landscape.
MEASURES TO COMBAT DIGITALLY-ENABLED SCAMS
7. Among scam types prevalent today, digitally-enabled scams involving phishing and malware are of gravest concern. This is where victims either gave away or had their banking credentials stolen, leading to unauthorised transactions. In recent months, we’ve seen a growing number of malware-enabled scam cases, with some victims suffering considerable losses. Left unaddressed, such scam threats and ensuing losses can undermine public confidence in payments and digital banking.
8. The Government is resolute in fighting malware-enabled scams, and we have augmented our efforts under the three prongs I mentioned:
a. First, upstream measures.
i. The CSA and the SPF are working with key tech players to limit mainstream access to identified malware variants and tools, such as those used in scams seen here in Singapore.
ii. Agencies are also working with industry and international partners to raise the security standards of mobile operating systems and mobile devices.
b. Second, downstream measures.
i. SPF has taken timely enforcement action, and works with banks to trace and recover funds. SPF also collaborates with overseas law enforcement agencies to take down cross-border scam syndicates.
ii. MAS has also been working closely with our banks to strengthen anti-malware controls, fraud surveillance, and detection capabilities. Major retail banks have hence enhanced their security measures to protect customers against malware scams, and will progressively introduce refinements or new measures to keep pace with changes in the threat landscape. Members might know that the ABS announced this a few hours ago.
- A recent example is OCBC’s move to block mobile banking access on devices that are detected to carry potentially malicious apps. Other banks are implementing similar measures.
- Banks are also exploring MoneyLock, to allow customers to set aside an amount in their bank accounts which cannot be digitally transferred out without strict authentication measures. This will further help to limit losses against scams.
c. Third, public education. Members of the public must take active steps to protect themselves against scams. We must foster stronger adoption of scam prevention actions and cyber hygiene practices through public engagements.
i. SPF, CSA, MoneySense and banks have used multiple platforms such as outreach events, social and print media, as well as digital display panels to broadcast simple advisories, including messages such as “download only from official app stores” to the public.
ii. To the Member’s point, the Government is also targeting outreach and messages to vulnerable groups, including seniors, students, and migrant workers.
ADDRESSING SCAM LOSSES
9. I will now address the matter that she raised of who should be responsible for scam losses. And I think the House understands that this is a difficult issue, since amounts lost in any single case can be substantial. We must hence strike a balance between fairness, accountability, and compassion.
10. There are some views that banks can easily absorb losses arising from individual scam cases. However, full restitution without due consideration of culpability is neither fair nor desirable. Doing so can erode vigilance and personal responsibility, and lull users into complacency.
11. Ms Sylvia Lim suggested that customers rely on banks to ensure the security and the robustness of their online banking and payment options. This is indeed so. MAS requires banks to secure digital systems, including by implementing multi-factor authentication to verify a customer’s identity and to authorise online transactions; and also sending notification alerts to customers so they can report unauthorised transactions as soon as possible. However, we should also note that scammers can still bypass these digital security measures, by deceiving customers into inadvertently divulging their account access credentials or downloading malware, thereby granting scammers total access, or remote access rather, to victims’ devices and their accounts.
12. Individual customers thus also have an important responsibility to protect access to their accounts, and this includes practising good cyber hygiene and being diligent in preventing their login information and OTPs from being divulged to third parties.
13. MAS has issued guidance for banks to institute clear customer handling and investigation processes and to treat customers fairly in all disputes. MAS also monitors how banks handle such disputes. In scam cases, banks must consider if they have fulfilled their obligations, and whether the victim had acted responsibly. Customers who practised good cyber hygiene and were diligent in preventing their login information and OTPs from being divulged to third parties, should not have to bear losses.
14. Depending on the facts of each case, banks may offer goodwill payments to customers. If a customer is unsatisfied with an offer, he may decline and approach the FIDReC for mediation and adjudication. A customer can further pursue his case in court if he is not satisfied with the outcome.
15. If the customer accepts a goodwill payment offer, he or she will be bound by the terms of the offer. Should new information come to light that is materially different from the premise upon which the customer had accepted the goodwill offer, the customer can request the bank to relook the case, or to approach FIDReC for assistance.
16. Finally, let me provide an update on the Shared Responsibility Framework.
17. While this has taken longer than we would like, the Government aims to publish a consultation paper on the Framework next month, focusing on phishing scams as a start. Ms Sylvia Lim pointed out that some other countries, including the UK, have either implemented or are considering mechanisms to mitigate the burden of scam losses. We are monitoring these developments, and will take them into account as we further develop this Framework, including for other types of scams in the digital payments ecosystem.
18. Ms Sylvia Lim also talked about whether customers can request for physical tokens, and MAS is also looking into her suggestion. On the other part about the digital payment tokens or cryptocurrency, I wanted to say that MAS also continues to watch for developments in the digital payment token or cryptocurrency space, and will regularly review the adequacy and appropriateness of these regulations. On the point of FIDReC, FIDReC will also continue to monitor and regularly review its process and procedures.
CONCLUSION
19. Mr Speaker, allow me to sum up.
20. Scams are an ever-present and evolving threat. The Government will spare no effort to implement effective upstream and downstream anti-scam measures alongside industry. In doing so, as the Member suggested, we may inevitably sacrifice some convenience to achieve better security. Finally, a discerning and vigilant public remains an essential pillar in our collective fight against scams.
21. Again, I thank Ms Sylvia Lim and Members in this House for their focus on this important and rapidly evolving issue, and welcome all of you to work with the Government to join us in our ongoing fight against scams.
22. Thank you.
***