Losses from Scams and Malware Fraud: Doing Right by Bank Customers

ADJOURNMENT MOTION

The Deputy Leader of the House (Mr Zaqy Mohamad): Mr Speaker, Sir, I beg to move, "That Parliament do now adjourn."

Question proposed.

Losses from Scams and Malware Fraud: Doing Right by Bank Customers

Mr Speaker: Ms Sylvia Lim.

6.23 pm

Ms Sylvia Lim (Aljunied): Mr Speaker, financial scams have become a major issue affecting Singaporeans. According to the Police's annual statistics for 2022, reported cases of scam and cyber crime increased by 25% year on year, totalling nearly 33,700 cases or 92 reports per day. Many more may have gone unreported.

Criminals are also becoming increasingly sophisticated and even more technologically savvy young adults are falling prey to these scams.

On the human level, the suffering caused by such scams is devastating. As Members of Parliament, we see too many residents who have lost large sums, in the hundreds of thousands of dollars. In most cases, lost monies are unlikely to be recovered.

The losses suffered by each victim are not just measured in monetary terms, that is, how much was lost; but also measured by the impact of that loss on the individual or the family, on persons with serious health issues, on retirees, on those with mouths to feed, on the vulnerable.

When it comes to scams, the Government and, in particular, the Monetary Authority of Singapore (MAS) has consistently said that it expects banks to treat its customers fairly.

Well, what exactly does the MAS expect of banks and how does it exercise its supervisory power? For the customers, what recourse or support does the Government provide to them?

That is the focus of my Motion today.

In a Straits Times opinion piece last Thursday, 14 September, technology editor Irene Tham opined that in order to fight scams, we may have to ditch some practices that make transactions easy. She pointed out that among others, banks needed to start accepting more responsibility. Consumers too may have to put up with some inconvenience to keep online dealings secure.

In my view, the Government, as the regulator, also needs to step up.

Before I proceed further, it is only fair to acknowledge the efforts by multiple agencies to address the scourge of scams. Among these efforts, the most visible are the scaled up public education and the setting up of the Anti-Scam Command and Anti-Scam Centre, with collaboration between law enforcement and banks.

I have also come across cases where banks managed to contact customers quickly and were able to stop a transaction before it was completed. But such success is, I believe, relatively rare.

On the specific question of who should bear the loss of scams, we understand from a Parliamentary answer in May that the MAS intended to issue a public consultation on a framework for the equitable sharing of losses in the third quarter of this year. This was the latest update to the House after pushing back the publication date for more than a year, citing the complexity of the issues.

No doubt one such issue is likely the wide typology of scam victims, from those who are tricked by half-baked schemes to the tech savvy who inadvertently loaded malware onto their phones.

That said, the first clarification I would like to seek is – is the time frame for releasing the consultation by third quarter of this year, that is, by this month or two weeks from now, still on track? If it is not, then what is causing the delay and by when can the paper be released?

Sir, while the draft framework has not yet been published, the MAS has previously indicated that bank customers have a responsibility to take necessary precautions and should be expected to bear the proportion of the loss depending on whether and how the party has fallen short of its responsibilities.

Sir, this is inadequate and unjust for three reasons.

First and fundamentally, consumers are not sufficiently equipped to combat scams. Fraudsters have become increasingly sophisticated and can now take control of a customer's phone and obtain their bank login details through the clicking of a malicious link. Even the most technologically savvy person could easily make this mistake and within a day, have their life savings wiped out.

While education and outreach efforts may go some way to mitigating this, it will always be playing catch up with these organised criminals. With their increasing sophistry, targeting prey through social engineering, does the targeted person really stand a chance?

Second, deciding in each case what is equitable will take time and may be irrelevant to the more vulnerable in our society.

According to the Financial Industry Disputes Resolution Centre (FIDReC), which oversees many such disputes, most cases are resolved within six months. For a family whose life savings have been wiped out, this would be an inordinate and stressful delay.

Further, forcing certain vulnerable groups such as the elderly to confront a big bank would be far from ideal. On a practical level, it would be difficult for them to gather and present evidence to prove that they have taken necessary precautions as will be required by the MAS.

Lastly, as to who should lead in combating scams, banks are best positioned and the best resourced to do so. Therefore, banks should take an outsized role in preventing them. Banks are able to monitor transactions, block suspicious payment flows and keep abreast of the latest technological developments. Such endeavours are beyond the remit of most bank customers.

Having emphasised why the banks should take the lead in combating scams, I shall move on to three policy solutions the Government should consider. The first suggestion looks at how some other jurisdictions are protecting consumers. The second deals with some additional safeguards that the Government should require of banks. Thirdly, I will argue why the Government should not take a hands-off approach when banks enter settlement agreements with affected customers.

First, policy suggestions and what some other jurisdictions are doing to protect consumers. Mr Speaker, I urge the Government to consider the solution used in the United Kingdom (UK). From next year, banks in the UK will be required by law to fully reimburse scam victims. This will apply except in cases where the customer was fraudulent or grossly negligent or the transaction involved cryptocurrency or international payments.

The mandatory reimbursement would cover payments through their Faster Payment platform in situations we are familiar with such as customers being tricked into transferring money, customers clicking on fake advertisements on social media, customers who were phished or hacked despite precautions and customers who were groomed over time such as love scams. The solution for such mandatory reimbursement is simpler and quicker. It will generally not require a time-consuming and resource-intensive adjudication process for each case.

Sir, the UK payments regulator has explained how this would work. It would be limited only to certain types of domestic payments, with both the sending and receiving payment providers each sharing half of the reimbursement. These providers would have to do so within five business days. It is noteworthy that the UK is a major financial centre and is prepared to take this tough stance against the banks.

What about other jurisdictions? Australia is also reportedly considering adopting similar measures. Meanwhile, the European Commission (EC) too has moved on this. In July this year, the EC proposed granting a refund to victims of authorised push payment fraud in certain circumstances as part of revisions to the EU payments directive.

Sir, I believe that this solution can and should be implemented in Singapore. It could cover all transfers between banks in Singapore via the FAST and PayNow systems. Like the UK system, it could be scoped to protect customers who are consumers, small businesses and charities. This would give Singaporeans the confidence to transact using these methods without fear that their savings would be unknowingly syphoned off. It would also ensure that victims of these scams will be compensated in a timely manner without having to undergo a complex adjudication process.

Sir, while some may argue that this would be unfair to the banks, I disagree. As I mentioned earlier, banks are best placed to identify and detect suspicious transactions such as when a customer's bank account is emptied over a short time, transfer limits are quickly changed, and new payees are added. A cost-benefit analysis by the UK Payment Systems Regulator has also shown that the reimbursement model would incentivise payment service providers to improve the detection and prevention of fraud.

This finding seems to resonate with banks who have been reimbursing customers who have been scammed. According to a senior official of UK bank TSB, having to reimburse customers for online fraud has incentivised it to be more proactive in detecting and preventing scams from the outset, resulting in less fraud. To state the obvious, prevention is preferable to reimbursement as it stops the problem at its root.

As more jurisdictions adopt such measures, international banks will not baulk at such requirements or see Singapore as an outlier if it adopted similar measures.

Sir, I also wish to address the concern about individual responsibility. While the MAS did note that bank customers have the responsibility to take necessary precautions, it cautioned that compensation paid should not weaken the incentive for all to be vigilant. The reimbursement model still retains an element of individual responsibility as there will be no reimbursement where a customer is grossly negligent. However, the point remains that individual responsibility alone is insufficient to combat these increasingly sophisticated and malicious scams.

Mr Speaker, I also urge the Government to consider ensuring that the loss-sharing framework applies retrospectively. While there is a general presumption that the laws should not apply retrospectively, this is a specific instance where it should.

The Court of Appeal has explained in the case of ABU vs Comptroller of Income Tax that retrospective legislation is undesirable because it imposes penalties or other disadvantages without fair warning and undermines expectations.

However, I would argue that this would not apply here, given that banks have been put on notice since the MAS informed the banks of a desire to implement a loss-sharing framework in February 2022, or one and a half years ago. Banks had also been consulted as part of the process as early as 2021, being part of the Payments Council.

Sir, given the delay in the publication of this framework, many scam victims have been left without recourse under the loss-sharing framework by no fault of their own. Accordingly, I urge the Government to ensure that these victims will be allowed to have their claims adjudicated fairly under the framework.

Next, policy suggestion two – additional safeguards for bank customers.

Mr Speaker, a further measure that can help us fight scams is the reintroduction of physical tokens as a default measure for two-factor authentication (2FA). Today, most banks only offer these on request and have a digital token or SMS verification as the default option for 2FA. This means that the mobile phone becomes the single source of vulnerability. Should the phone be infected with malware, 2FA does not, in effect, act as a second degree of authentication. As pointed out by Ms Irene Tham in her article last week, experts believe that it is time to resurrect hardware tokens, which are standalone devices apart from the phone. MAS should advise banks to promote the physical tokens as the default option.

I also asked the Government to consider implementing additional verification checks where a customer transfers money to bank accounts of entities associated with cryptocurrencies or digital payment tokens (DPTs).

To be fair, the MAS has recognised the risk involved with DPTs and has sought to regulate consumer access to DPTs. I urge them to further consider regulating transfers to bank accounts associated with DPT service providers. DPTs carry a higher risk of dissipation and are more difficult to trace, especially when transferred to wallets around the globe. Imposing mandatory delays, transfer limits and additional authentication could go a long way towards preventing customer monies from being siphoned off by fraudsters.

Sir, vulnerable customers are another category to watch out for. Added verification steps and longer mandatory waiting periods should also be implemented where the transaction involves a vulnerable client, such as an elderly or mentally impaired person. Banks should adopt closer scrutiny over transactions from such accounts, mandating lower transfer limits and longer waiting times by default.

Sir, I acknowledge that the measures I have suggested may cause inconvenience to some customers. For all these measures, banks can provide customers the option to opt out of these safeguards provided that they are sufficiently aware of the risk.

Next, policy solution three – safeguarding customers from unfair settlements.

Mr Speaker, some of us have received feedback from scam victims about how their banks try to settle their complaints. First, the sums offered as goodwill payments may be paltry in relation to the loss. Moreover, such offers are usually tied to non-disclosure agreements (NDAs) which are onerous and one-sided, requiring absolute secrecy from the customer and requiring the customer to forgo all rights to recover further sums. The one-sidedness of such arrangements was also alluded to by Member Yeo Wan Ling in a Parliamentary Question filed in November last year.

Sir, the MAS has made it clear that it did not intend to regulate settlements. However, the unequal bargaining power between the banks and consumers is obvious. Will the MAS stand by if desperate customers are being bulldozed and bullied? A hands-off approach by the MAS is unacceptable. On this issue, please let me elaborate in Chinese.

(In Mandarin): [Please refer to Vernacular Speech.] When bank customers complain to their banks of the amount they lost to fraud, some banks will only offer them a small amount to solve the issue. Moreover, such offers are usually tied to signing an agreement of non-disclosure (NDAs) by the customer. This means that these customers are giving up their right to recover further sums in future. The unequal bargaining power between the banks and consumers is obvious from this situation. The Government should not take a hands-off approach. Instead, the Government should roll out regulations for banks to comply with.

(In English): Sir, while I agree that the MAS cannot micromanage the banks, can it do more than issue a motherhood statement that MAS expects the banks to treat their customers fairly?

At present, banks in Singapore have published a voluntary Code of Consumer Banking Practice. Under paragraph 3B of the Code, fairness is a key principle in resolving a dispute between the consumer and the bank. However, as a voluntary code, it lacks regulatory bite.

I urge the MAS to consider adopting regulatory guidelines to enshrine fairness as a key principle in the settlement of consumer disputes, especially in relation to scams.

Some possible guidelines include banning the use of onerous practices such as blanket NDAs, which require customers to give up legitimate claims to recover monies. Customers should also be given full disclosure about their rights and forms of recourse against the bank. Perhaps the MAS could consider prescribing clauses in agreements that do not prejudice customers.

Sir, in some cases where customers have complained to the MAS about settlements being unfair, these customers have been asked to approach FIDReC instead for assistance. Sir, let me say something about the FIDReC option.

There is currently a monetary limit of $100,000 per claim for FIDReC adjudication. Such a limit discourages those who have lost more from going to FIDReC. Should this monetary limit not be raised? Since the daily transfer limit for most customers for PayNow is $200,000 per day, would this limit not be more relevant to FIDReC today?

Such a revision to FIDReC's monetary limit —

Mr Speaker: Ms Lim, you have under a minute left.

6.41 pm

Ms Sylvia Lim: — would make FIDReC a more serious option for larger claims.

Sir, let me conclude. Mr Speaker, it is time for the Government to act swiftly and decisively on scam losses. Of paramount importance is ensuring that Singaporeans have confidence in their banking system and ensuring that those who have suffered a loss are fairly compensated. The draft framework for loss-sharing is overdue.

I have also highlighted why requiring customers to bear losses when they were not grossly negligent would not be fair. The Government should consider developments in other jurisdictions such as the UK to ensure that banks bear the cost of reimbursing victims, as they are the best place to identify and prevent such scams. Other measures such as a return to physical tokens and ring-fencing funds from high-risk activities like cryptocurrencies should also be considered.

Lastly, the Government should provide a framework to protect customers from unfair settlements and look at raising the monetary limit of FIDReC.

I urge the Government to do its part to ensure that we do right by bank customers.

Mr Speaker: Minister of State Alvin Tan.

6.43 pm

The Minister of State for Culture, Community and Youth and Trade and Industry (Mr Alvin Tan): Mr Speaker, I thank the Member for tabling today’s Motion.

I share her concerns over losses suffered from scams, as do other Members in this House. Over the past year, Dr Tan Wu Meng and Ms Yeo Wan Ling have raised questions on the avenues of recourse for customers who suffer losses from scams. Mr Saktiandi Supaat and Dr Lim Wee Kiak also asked about the status of the Shared Responsibility Framework.

Let me touch on our broad strategy to fight scams before highlighting ongoing efforts by the Government and banks against more concerning scam typologies. I will then share the avenues that customers have for recourse and provide an update on the Shared Responsibility Framework.

Singapore adopts a three-pronged strategy to fight scams.

First, upstream measures, such as the ScamShield mobile app to filter and block scam messages and calls, and the SMS Sender ID Registry regime to label non-registered senders with the “Likely-SCAM” label.

Second, downstream measures, these include bank measures implemented last year.

And third, public education through public advisories and sharing best practices to fight scams.

Our collective efforts are showing some encouraging signs. The total amount of scam losses decreased slightly in the first half of 2023, compared to the same period in 2022.

Nevertheless, the scam situation remains serious. With more of us transacting digitally, bad actors are adopting increasingly sophisticated methods to target victims. We must constantly sharpen our approach to fight scams in this rapidly evolving landscape.

Among scam types prevalent today, digitally enabled scams involving phishing and malware are of gravest concern. This is where victims either gave away or had their banking credentials stolen, leading to unauthorised transactions. In recent months, we have seen a growing number of malware-enabled scam cases, with some victims suffering considerable losses. Left unaddressed, such scam threats and ensuing losses can undermine public confidence in payments and digital banking.

The Government is resolute in fighting malware-enabled scams, and we have augmented our efforts under the three prongs I mentioned.

First, upstream measures. The Cyber Security Agency of Singapore (CSA) and Singapore Police Force (SPF) are working with key tech players to limit mainstream access to identified malware variants and tools, such as those used in scams seen here in Singapore.

Agencies are also working with industry and international partners to raise the security standards of mobile operating systems and mobile devices.

Second, downstream measures. SPF has taken timely enforcement action, and works with banks to trace and recover funds. SPF also collaborates with overseas law enforcement agencies to take down cross-border scam syndicates.

MAS has also been working closely with our banks to strengthen anti-malware controls, fraud surveillance, and detection capabilities. Major retail banks have hence enhanced the security measures to protect customers against malware scams and will progressively introduce refinements or new measures to keep pace with changes in the threat landscape. Members might know that the Association of Banks in Singapore (ABS) announced this a few hours ago.

A recent example is OCBC’s move to block mobile banking access on devices that are detected to carry potentially malicious apps. Other banks are also implementing similar measures.

Banks are also exploring MoneyLock, to allow customers to set aside an amount in their bank accounts which cannot be digitally transferred out without strict authentication measures. This will further help to limit losses against scams.

Third, public education. Members of the public must take active steps to protect themselves against scams. We must foster stronger adoption of scam prevention actions and cyber hygiene practices through public engagements.

SPF, CSA, MoneySENSE and banks have used multiple platforms such as outreach events, social and print media, as well as digital display panels to broadcast simple advisories, including messages such as "download only from official app stores" to the public.

To the Member's point, the Government is also targeting outreach and messages to vulnerable groups, including seniors, students and migrant workers.

I will now address the matter that she raised about who should be responsible for scam losses. And I think the House understands that this is a difficult issue, since amounts lost in any single case can be substantial. We must, hence, strike a balance between fairness, accountability and compassion.

There are some views that banks can easily absorb losses arising from individual scam cases. However, full restitution without due consideration of culpability is neither fair nor desirable. Doing so can erode vigilance and personal responsibility and lull users into complacency.

Ms Sylvia Lim suggested that customers rely on banks to ensure the security and the robustness of their online banking and payment options. This is indeed so.

MAS requires banks to secure digital systems, including by implementing multi-factor authentication to verify a customer’s identity and to authorise online transactions; and also sending notification alerts to customers so they can report unauthorised transactions as soon as possible. However, we should also note that scammers can still bypass these digital security measures, by deceiving customers into inadvertently divulging their account access credentials or downloading malware, thereby granting scammers remote access to victims’ devices and their accounts.

Individual customers thus also have an important responsibility to protect access to their accounts and this includes practising good cyber hygiene and being diligent in preventing their login information and one-time passwords (OTPs) from being divulged to third parties.

MAS has issued guidance for banks to institute clear customer handling and investigation processes and to treat customers fairly in all disputes. MAS also monitors how banks handle such disputes. In scam cases, banks must consider if they have fulfilled their obligations, and whether the victim had acted responsibly. Customers who practised good cyber hygiene and were diligent in preventing their login information and OTPs from being divulged to third parties, should not have to bear losses.

Depending on the facts of each case, banks may offer goodwill payments to customers. If a customer is unsatisfied with an offer, he may decline and approach FIDReC for mediation and adjudication. A customer can further pursue his case in court if he is not satisfied with the outcome.

If the customer accepts a goodwill payment offer, he or she will be bound by the terms of the offer. Should new information come to light that is materially different from the premise upon which the customer had accepted the goodwill offer, the customer can request the bank to relook the case, or to approach FIDReC for assistance.

Finally, let me provide an update on the Shared Responsibility Framework. While this has taken longer than we would like, the Government aims to publish a consultation paper on the framework next month, focusing on phishing scams as a start. Ms Sylvia Lim pointed out that some other countries, including the United Kingdom, have either implemented or are considering mechanisms to mitigate the burden of scam losses. We are monitoring these developments, and will take them into account as we further develop this framework, including for other types of scams in the digital payments ecosystem.

Ms Sylvia Lim also talked about the physical token. Customers can request for physical tokens and MAS is also looking at her suggestion.

On the other part about the digital payment tokens or crypto currency, I wanted to say that MAS also continues to watch for developments in the digital payment tokens or crypto-currency space, and will regularly review the adequacy and appropriateness of these regulations.

On her point of FIDReC, FIDReC will also continue to monitor and regularly review its process and procedures.

Mr. Speaker, allow me to sum up. Scams are an ever-present and evolving threat. The Government will spare no effort to implement effective upstream and downstream anti-scam measures alongside industry. In doing so, as the Member suggested, we may inevitably sacrifice some convenience to achieve better security. Finally, a discerning and vigilant public remains an essential pillar in our fight against scams.

Again, I thank Ms Sylvia Lim and Members in this House for their focus on this very important and rapidly evolving issue and I welcome all of you to work with the Government, to join us in our ongoing fight against scams.

6.52 pm

Question put, and agreed to.

Resolved, "That Parliament do now adjourn."

Mr Speaker: Pursuant to Standing Order 2(3)(a), I wish to inform hon Members that the Sitting tomorrow will commence at 1.30 pm. Order, order.

Adjourned accordingly at 6.52 pm.