The MAS said then it would publish a draft framework for public consultation in the next three months. But the process has taken “longer than expected” due to the complexity of the issues involved, the financial regulator said in previous parliamentary replies.
1. When a financial institution is responsible
A case study provided in the consultation paper lays out the scenario of how a consumer had clicked on a phishing email and entered his account credentials on a fake website mimicking a financial institution.
The scammer subsequently used the account credentials and OTPs provided to take over the consumer’s account without his knowledge and set up a digital token.
Due to a system error, the financial institution did not impose a 12-hour cooling-off period during which high-risk activities could not be performed. As a result, the scammer was able to increase the consumer’s online transaction limit from S$5,000 to S$10,000 – a high-risk activity – within the 12 hours following the new digital token’s activation.
The consumer had seen the notification alerts informing him of the activation of a new digital token and the increase in transaction limit, but did not act on either of these alerts. The scammer then proceeded to make multiple transactions of S$10,000 each out of the consumer’s account.
In this case, the financial institution bears the full losses given how it had failed its duty to provide a 12-hour cooling off period. This is despite the consumer having failed to take due diligence by clicking on a phishing link and choosing to ignore the notification alerts that were sent to him.
2. When a telco is responsible
In another case study provided, a consumer had received an SMS with the Sender ID “DBS Bank” asking him to reset his digibank password via a link.
This SMS was in fact a scam message sent by an overseas entity posing as DBS. The telco did not block this SMS.
Upon receiving the SMS, the consumer keyed in his account details on the fradulent website. After which, his account credentials, including OTPs, were used to initiate five FAST transactions amounting to S$10,000 to another local account.
SMS transaction notifications were sent by the financial institutions for all the transactions. This means that there were no lapses by the financial institution, but the telco had failed in its duty to block the unverified SMS. In this case, the telco will bear all of the losses.
3. When a consumer is responsible
In this case, a scammer posing as a financial institution had sent a consumer a phishing email containing details of an attractive product.
The consumer clicked on the link, and entered his account credentials and OTPs on a fake website to purchase the product.
The account credentials, including OTPs, were later used by the scammer to initiate three FAST transactions of S$1,000, S$2,000 and S$3,000 respectively, to another local account.
Transaction notifications were only sent for the FAST transactions of S$2,000 and S$3,000, as the consumer had previously adjusted his transaction notification threshold to S$1,500. In this case, the financial institution is not liable for failing to send out a notification alert for the S$1,000 transaction.
Telcos will not be involved in this assessment of losses because the link leading to the spoofed website was sent to the consumer via email and not SMS.
For this, the consumer bears 100 per cent of the loss.