Insights and Analysis

New Era of Fraud Prevention: Global Regulations Demand Accountability from Banks and Telcos

13 January 2025
""
""

In an era where digital transactions are increasingly vulnerable to sophisticated fraud, regulators around the world are stepping up to enhance consumer protection and cybersecurity. Singapore's Shared Responsibility Framework, effective from 16 December 2024, allocates duties and liabilities among financial institutions, telcos, and consumers to combat phishing scams. Meanwhile in the UK, effective from 7 October 2024, payment service providers (“PSPs”) are required to make reimbursements to victims of authorized push payment (“APP”) fraud under a new regime applicable to payments made via Faster Payments and CHAPS. The EU is also making strides with the proposed third Payment Services Directive (“PSD3”) and the proposed Payment Services Regulation (“PSR”) which expand the liabilities of PSPs to make reimbursements for fraud losses. 

These initiatives reflect a growing global regulatory trend towards ensuring that stakeholders like financial institutions and telcos play proactive roles in safeguarding consumers from fraud, and that they are held accountable for fraud losses.

Singapore: Shared Responsibility Framework 

The Shared Responsibility Framework (“SRF”) in Singapore, which came into effect on 16 December 2024, marks a crucial step towards Singapore’s effort in detecting and preventing phishing scams. The SRF, introduced by the Monetary Authority of Singapore (“MAS”) and the Infocomm Media Development Authority (“IMDA”), strengthens accountability among financial institutions (“FIs”), telcos, and consumers, by assigning responsibilities and allocating losses among the three groups in situations of phishing scams.

Under the new framework, a specified list of FIs in Singapore, which includes 17 banks and 30 PSPs, are required to implement controls to fulfil their duties. The key duties include: 

  1. Duty to impose a 12-hour cooling period when a digital security token is activated on a device or where there is a login on a new device. During the cooling period, high-risk activities cannot be performed on the account. High-risk activities include addition of payees, increment of transaction limits, disabling of transaction notifications, and changes in the account holder’s contact information. 
  2. Duty to provide real-time notification alerts when a digital security token is activated, when there is a login to an account on a new device, when high-risk activities are performed, and when outgoing payment transactions are made from an account. 
  3. Duty to provide customers with a reporting channel to report and block transactions, including a self-service feature to block access to the account.
  4. Duty to implement real-time fraud surveillance to identify and block unauthorized transactions made as part of phishing scams, and to notify or seek verification of the suspected transactions with the customer. 

There is a 6-month grace period for FIs to implement the fourth duty described above. The other duties are effective as of 16 December 2024. 

The framework also sets in place duties for Telcos, which include: 

  1. Duty to deliver sender ID SMS to subscribers only if it is from authorized aggregators licensed by the IMDA, and to otherwise block the sender ID SMS.
  2. Duty to implement an anti-scam filter on the Telco’s SMS network.

There are also duties imposed on consumers to reduce the risks of them falling prey to phishing scams. Consumer duties generally include exercising vigilance and taking sufficient cyber precautions, including not clicking on suspicious links and not disclosing personal or account credentials to others.

The SRF sets out a four-stage workflow in processing claims for a disputed transaction made in a phishing scam: 

  1. Claim stage: The customer should report an unauthorized transaction to the FI, including providing sufficient information regarding the phishing scam.
  2. Investigation stage: The FI should first carry out an assessment of the claim to determine if a Telco should be involved.
    1. If the phishing scam was perpetrated through SMS, both the involved FI and Telco should investigate if they have individually fulfilled their duties. If the FI did not fulfil its duty, it is liable for the full reimbursement regardless of whether the Telco has fulfilled its duty. If the FI has fulfilled its duty but the Telco has not fulfilled its duty, the Telco will be liable for the losses. If both parties have fulfilled their duties, the customer will bear the losses.
    2. If the scam was not perpetrated through SMS, only the FI should investigate if it has fulfilled its duties. The FI will bear the losses if it has not fulfilled its duty. Otherwise, the customer will bear the losses
  3. Outcome stage: The FI will inform the customer of the outcome of the investigation. 
  4. Recourse stage: The customer may appeal the outcome of the claim through the IMDA or the Financial Industry Disputes Resolution Centre. 

UK: The APP Fraud Mandatory Reimbursement Framework 

Effective 7 October 2024, the UK’s Payment Systems Regulator and the Bank of England have implemented a reimbursement framework which requires PSPs to make refunds of payments to customers (consumers, micro-enterprises and charities) who are victims of APP fraud. The amount of reimbursement is capped at £85,000. (See Hogan Lovells’ article: UK APP fraud: What in-scope PSPs need to know about the new mandatory reimbursement regime)

The UK framework applies to authorized transactions made as a result of  APP fraud committed via Faster Payments and CHAPS, but is limited to local payments made within the UK in pounds sterling. Unlike the Singapore framework in which FIs are not required to bear the losses if they have fulfilled their duties, the only exceptions to the UK reimbursement framework  are consumer fraud, gross negligence and breach of the consumer standard of caution, or a genuine dispute with the person paid by the consumer for the relevant goods and services. 

EU: PSD3 and the PSR

In the EU, the proposals for PSD3 and the PSR, published in June 2023 and currently making their way through the EU legislative process, aim to strengthen consumer protection and mitigate payments fraud. (See Hogan Lovells’ PSD3 Impacts Report: Hogan Lovells PSD3 Impacts Report: Getting ahead of the evolving EU payments regulatory landscape) One of the recommendations within the proposals expands the scope of a PSP’s liability to make reimbursements for fraud losses. The PSD2 currently requires refunds only for unauthorized payment transactions. The new proposals expand the scope of refunds to the following scenarios:

  1. Spoofing fraud: Where a customer is scammed into authorizing a transaction due to someone impersonating the PSP, unless the customer has acted fraudulently or with gross negligence PSPs are liable to make a full refund of the payment to the customer. Amendments proposed to the European Commission’s text by the European Parliament would extend this liability to payments that result from ‘any other relevant entity of a public or private nature’. The Parliament has also proposed that if the spoofing fraud was perpetrated because an electronic communication service provider (“ECSP”) failed to remove fraudulent or illegal content once notified of its existence where the consumer has, without any delay, reported the fraud to the police and notified its PSP, the ECSP is liable to make a full refund to the PSP.
  2. Failure to carry out verification of payee: The PSP must provide a free bank account number and name matching service to its customers to allow customers to verify the identity of the payee. If the PSP failed to do so or did not properly perform the matching, it is liable to refund the amount of the payment to the customer.   

What’s Coming Next in 2025 

Several countries are in the process of considering reimbursement frameworks for scam losses. In Australia, the Scams Prevention Framework Bill, which includes a compensation mechanism for scam victims to recover their losses, was introduced in the Parliament in November 2024. In the US, the bill “Protecting Consumers from Payment Scams Act”, which includes requirements for financial institutions to reimburse consumers for unauthorized or fraudulently induced transactions, was introduced in the House in August 2024. 

In 2025, we can expect more regulators to introduce local reimbursement and liability frameworks for fraud-related losses. As part of the wider global trend to combat fraud and money laundering, these frameworks will likely impose more compliance, monitoring, notification, and reporting duties on financial institutions and telcos. As more countries consider similar frameworks, the landscape of digital security is set to transform, demanding robust compliance and vigilance from all stakeholders. 

It is crucial for businesses in the financial and telecom industries to monitor local regulations and review their internal procedures to ensure compliance with latest regulatory requirements. This will be a timely opportunity for these businesses to enhance their internal controls, including anti-fraud policies, fraud surveillance capabilities, staff training, and internal investigations processes. 

How We Can Help

With extensive experience in regulatory compliance, we are well-positioned to assist your company in navigating the requirements of the local reimbursement framework. Our services include:

  1. Policy Development: Assisting in the development and implementation of policies and procedures to comply with the local regulations.
  2. Training Programs: Providing tailored training programs for your staff to ensure they are well-versed in the new requirements under the SRF and best practices for scam prevention.
  3. Ongoing Support: Offering ongoing support and advice to help your institution stay compliant with evolving regulatory requirements.

 

Authored by Nick Williams, Khushaal Ved, and Hsiao Tien Tan

Related topics

Related countries

Search

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register