Strengthening Enforcement and Public Education

2.45 pm

The Minister of State for Home Affairs (Mr Desmond Tan) (for the Minister for Home Affairs): Mr Speaker, Minister Lawrence Wong and Minister Josephine Teo have given an update on the measures to secure banking and communications channels from phishing scams.

I chair the Inter-Ministry Committee on Scams, or IMCS in short, which was set up in April 2020. The IMCS brings together Government agencies, such as MHA, SPF, MCI, MAS and MTI, and also works with private sector partners, such as the Association of Banks in Singapore, or ABS, to coordinate efforts to combat all scam types. These include phishing scams, job scams, loan scams, just to name a few, as well as e-commerce scams. IMCS focuses its efforts to coordinate across agencies to review the scam types and trends, as well as to propose countermeasures. It also enhances enforcement and responses to these scams. Thirdly, IMCS strengthens public education and vigilance against scams.

My Statement will focus on two aspects of our anti-scam strategy: enforcement and education.

The main challenge in enforcement is that the vast majority of scams are perpetrated by syndicates that are based overseas. Such cases are difficult to investigate and prosecute for three reasons.

Firstly, our ability to solve these cases depends on the level of cooperation from overseas law enforcement agencies, as well as their ability to track down scammers in their own jurisdictions.

Second, these scammers are typically part of an organised criminal syndicate. They run sophisticated transnational operations which are not easy to detect or dismantle. The syndicates are well-resourced and adept at using technology to cover their tracks.

Thirdly, when monies have already been transferred out of Singapore, recovery is very difficult.

SPF works closely with our overseas counterparts to exchange information and conduct joint operations. For example, in 2021, SPF’s collaboration with law enforcement agencies, such as the Royal Malaysia Police, as well as Hong Kong, led to the takedown of 16 scam syndicates and the arrest of around 230 persons.

Coming back to the OCBC phishing scams, Dr Tan Wu Meng, Mr Sitoh Yih Pin and Mr Dennis Tan asked for an update on the ongoing investigations into the OCBC phishing scam.

As at 13 February, SPF has frozen 121 local bank accounts and recovered about $2 million. In addition, about $2.2 million of victims’ funds have been traced to 89 overseas bank accounts.

Based on SPF’s preliminary investigations, at least 107 local and 171 overseas IP addresses were linked to the unauthorised access of the victims’ Internet banking accounts. Many of the scam websites used in the phishing scam were hosted by web hosting companies that are based overseas.

SPF has commenced investigations into the local IP addresses linked to the scam and the owners of the local money mule accounts. SPF is now also working with INTERPOL and foreign law enforcement agencies to investigate the beneficiaries of the funds transferred overseas and the hosts of the scam websites.

As investigations are right now ongoing, we are not able to divulge any more information at this moment.

The OCBC phishing scam cases occurred amidst a rise in the number of scams reported in Singapore, which Mr Ang Wei Neng, Dr Tan Wu Meng and Miss Cheng Li Hui asked about.

In 2021, 23,931 cases of scams were reported, of which 5,020 were phishing scam cases. This is more than a fourfold increase from the 5,147 cases of scams reported in 2017, of which only 16 were phishing scam cases.

Specifically, for phishing scams involving SMSes impersonating banks in Singapore, there were no cases in 2017, but there were 91 in 2018; 57 in 2019; 149 in 2020; before increasing significantly to 1,021 in 2021, in view of the OCBC phishing scams. The OCBC phishing scam alone accounted for 790 customers in the two months from December 2021 to January 2022, by far the largest phishing scam involving spoofed SMSes, as mentioned by Minister Lawrence Wong earlier. The use of a combination of highly-orchestrated tactics, involving spoofed SMSes appearing in the same thread as genuine messages from the bank and links directing victims to a scam website, as well as the large number of customers targeted in the OCBC scam, shows that the threat is now significantly heightened.

On Assoc Prof Jamus Jerome Lim’s query, in 2021, card fraud cases reported by major credit card issuers in Singapore to MAS formed less than 0.1% of total credit card transactions. MAS and SPF do not track the percentage of funds recovered for these unauthorised credit card transactions.

Mr Murali Pillai and Mr Ang Wei Neng asked if SPF is sufficiently resourced to combat scams. Police are extremely stretched. Our officers have been trying to cope with increasing workload and expectations, without proportionate increase in manpower. We will need to review this untenable situation.

Nevertheless, with whatever resources we have, we have reorganised ourselves for greater efficiency and effectiveness. For example, SPF set up the Anti-Scam Centre (ASC) in 2019 as a specialised unit focused on anti-scam interventions and enforcement.

In 2021, the ASC conducted 26 islandwide anti-scam operations, which resulted in the arrest of around 7,500 money mules and scammers.

The ASC also partners private sector stakeholders to disrupt scammers’ operations. For example, it has worked with telecommunications companies to terminate scam-tainted phone lines, and with online marketplaces to remove suspicious online monikers and advertisements.

Since 2019, the ASC has frozen around 24,000 bank accounts suspected of being involved in scam activities and recovered about $160 million in scam proceeds.

This would include part of the $17 million lost since 2020 to about 1,300 cases of phishing scams involving spoofed SMSes impersonating banks in Singapore, a question which Dr Tan Wu Meng asked about. SPF does not track the amount of funds recovered by scam type.

Recovery of monies lost to scams is very difficult. Where we have been able to, it involved close partnerships with financial institutions, in particular, by having a DBS staff co-located with SPF at the ASC to provide swifter and real-time coordination and intervention.

ASC and MAS are working with more banks to co-locate their staff at the ASC, to further enhance the ASC’s capabilities to freeze accounts, as well as to trace the flows of money.

SPF will be forming an Anti-Scam Command this year to consolidate expertise in scams across all SPF land units, and thereby further improve coordination of anti-scam enforcement and investigation. The Command will also oversee the newly-formed Scam Strike Teams in the seven Land Divisions, which were set up to enable us to take swifter action against scams.

As Mr Edward Chia and Mr Christopher de Souza suggested, SPF has also leveraged technology and will continue to do so.

The ASC uses technology to automate manual work processes, such as the generation of electronic production orders to the banks for the freezing of bank accounts that are associated with scams and sending out personalised crime advisories to members of the public. This will allow the Police resources to focus on essential criminal investigations and enforcement work.

SPF also uses technology, such as ScamShield, to crowdsource information on scam calls and SMSes. It provides SPF with information on emerging trends. This enables SPF to react faster to the various scams.

Another example is SPF and MAS’ ongoing study with banks to explore the use of enhanced fraud surveillance systems based on artificial intelligence to flag suspicious transactions and identify possible fraudulent behaviour in real-time.

Next, I will touch on improving public education.

Enforcement, by itself, is not sufficient. To Ms Foo Mee Har’s question on how consumers can be better protected, the best defence is a discerning public. Hence, the Government has been creating strong public awareness on scams.

Miss Cheng Li Hui asked about the challenges in educating Singaporeans on anti-scam precautions and measures. A key finding from the 2019 National Prevalence Survey of Scams was that scam victims tend to lack practical knowledge on safe practices. While the majority of scam victims had come across anti-scam public campaigns and messages, many of them could not recall specific scam prevention tips. They also exhibited poor online hygiene, such as opening emails from unknown sources.

The Government’s anti-scam public education campaign, called "Spot the Signs. Stop the Crimes", aims to address these challenges. The campaign emphasises the importance of individual responsibility and also uses real-life examples to build awareness and vigilance on the tell-tale signs of scams. As part of this campaign, we have disseminated materials advising the public on scam prevention tips, such as never to share one-time-passwords (OTPs) with unverified parties and to be wary of requests for gift cards and online credits.

Mr Mohd Fahmi Bin Aliman asked if there is an age group that is most vulnerable to phishing scams and the common scams that different segments of the population fall prey to.

Scam victims are of a wide range of ages; everyone is susceptible. That said, different profiles of victim falls prey to different types of scam.

For phishing scams, job scams, e-commerce scams, investment scams, loan scams, China official impersonation scams, as well as fake gambling platform scams, we found that young adults between 20 and 39 years old formed the largest group of victims, compared to other age groups. For social media impersonation scams, Internet love scams, and fake friend call scams, adults between 40 and 59 years old formed the largest group of victims. Hence, the Government has also rolled out prevention initiatives targeted at specific population segments.

SPF and NCPC have partnered ABS on various initiatives to educate bank customers. For example, the banks have introduced an online quiz on scam prevention. They have also sent out advisories to customers to remind them not to share their OTP with others.

Banks have also stepped up their efforts to also train their frontline staff to help customers spot signs of scam. For example, in June 2021, OCBC staff helped to prevent a 57-year-old customer from being scammed. The customer had wanted to remit around 6,000 euros to her Internet “boyfriend” based in the United States. OCBC branch staff noticed that the fund transfer was to be made to a personal bank account in Thailand and suspected that the customer was being scammed. The OCBC staff spent hours trying to dissuade the customer from transferring the funds and worked with SPF officers to try to advise the customer from sending any money. Eventually and thankfully, they managed to convince the customer that she was being scammed, after the “boyfriend” was not available for a video call that bank staff worked with the customer to arrange.

Another example of a preventative initiative is the “SG Cyber Safe Seniors Programme” launched in June 2021 by the Cyber Security Agency of Singapore (CSA), Infocomm Media Development Authority (IMDA) and SPF. The programme seeks to raise seniors’ awareness of online scams and encourage them to adopt good cyber hygiene. Under the programme, CSA and its partners, such as the SG Digital Office, offer scam prevention tips, including how to spot signs of phishing and avoiding the sharing of personal information and OTPs.

The IMCS will step up our public education efforts by scaling up targeted outreach. We will partner agencies and stakeholders that serve as key touchpoints for population segments of interest and leverage their communications channels to push out anti-scam messages targeted at different segments.

For example, IMCS has started working closely with the Agency for Integrated Care, MOE, MOM and MoneySense to push out anti-scam information and awareness programmes for our seniors, students, even migrant workers and professionals.

The IMCS has also started to work with stakeholders from the private sector: partnering ABS to reach out to consumers who use banking services and major e-commerce platforms and marketplaces to reach out to consumers transacting on those online platforms.

Everyone should also download ScamShield, to filter out scam messages and block scam calls.

To date, ScamShield has been downloaded about 257,000 times. About 3.5 million SMSes and calls have been picked up as potential scams by the in-app algorithm and user self-reporting through the app. About 15,500 phone numbers have also been blocked. We are unable to provide Mr Gerald Giam with the percentage of scam calls and SMSes successfully blocked, as ScamShield does not track the number of calls and SMSes made or received by the users.

ScamShield picked up and filtered about 2,000 scam messages used in the OCBC phishing scams. Unfortunately, a lot more scam messages managed to reach the SMS inboxes of ScamShield users, mainly because they appeared in the same thread as legitimate messages. This gap will be addressed as agencies enhance our SMS ecosystem, as Minister Josephine Teo explained.

That said, ScamShield, in itself, is not a panacea and all parts of the ecosystem need to work together to combat scams, including vigilance from all members of the public.

When ScamShield was developed, we made it available to iOS devices first as it was functionally easier to build. We had, initially, planned to launch the Android version of ScamShield in late 2021, but it was delayed as GovTech had to reprioritise resources towards supporting our efforts against COVID-19. Agencies are now working towards developing and releasing the Android version in the coming few months.

IMCS will continue our efforts to encourage the public to download ScamShield, including through community engagements by SPF and Volunteer Crime Prevention Ambassadors. I would also like to call on Members of this House to encourage your residents to download ScamShield.

In concluding, combating scams needs a whole-of-society effort. Even as SPF steps up enforcement, members of the community still play a vital role. We urge the members of public to be individually alert and also to raise collective awareness by sharing scam prevention tips with your friends and family. Together, I am confident we can build a safer Singapore. Thank you, Mr Speaker.

Mr Speaker: Dr Tan Wu Meng.

3.03 pm

Dr Tan Wu Meng (Jurong): Mr Speaker, I thank the Ministers for their Ministerial Statements. I have two questions and one suggestion. Sir, many of my Clementi residents were very worried to hear about what happened and it is important that MAS has recognised that there needs to be equitable sharing of losses when an incident happens.

My first question is, will this proposed equitable sharing look at the difference between an unforced error compared to a forced error, where a customer was led or pressured into making an error, as appears to have been the case with the OCBC phishing scam?

The second question, Mr Speaker, will this proposed framework for equitable sharing of losses also consider the speed of the bank response when a consumer is trying to get help? One of my Clementi residents described it thus. He said, "Imagine you got tricked, someone copied your house keys, they are looting your house now, you call for help and you are put on hold. You wait to press a number or get to the right department." That is what my resident said and they are worried what happens if this is their experience in a scam.

Sir, for the suggestion, may I suggest to the Ministries, if they have not already done so, there can be Red Teams looking at not just fighting the last scam war, but the next one because, today, we know there are deepfakes for voices, deepfakes for video calls as the technology improves. We have to be ready for the next character of scams. Likewise, is there a role for white hat scammers, just like there are white hat hackers – white hat scammers actively testing the bank's procedures to look for vulnerabilities before fellow Singaporeans suffer avoidable losses?

Mr Lawrence Wong: Mr Speaker, I thank Dr Tan Wu Meng for his suggestion on the last point. Indeed, we cannot be fighting the last war, we have to look ahead, anticipate vulnerabilities and continually look at different ways to improve our system, and MAS is certainly committed to this process.

On the framework for the sharing of losses incurred by customers, this is a complex issue. I mentioned just now that it is being deliberated upon by the Payments Council, which is chaired by MAS, and it aims to put up something for public consultation within the next three months. I do not want to get ahead of the process, but I would just want to set out some key principles which the Council is using to guide its deliberations.

First, the framework for the sharing of losses should be consistent and common. So, it should not matter which bank you go to; it has to be applied consistently across the entire industry.

Second, the framework should be equitable in determining how losses are to be shared, because both banks and customers have their respective responsibilities. So, Dr Tan Wu Meng talked of some scenarios about speed and whether or not it is a forced or unforced error. But what we intend to do is to be quite clear and specific about what these responsibilities are for financial institutions and customers and what each party is expected to do to prevent scams. Then, the share of losses each party bears will depend on whether and how the party has fallen short of these very clearly stated responsibilities.

I think that is a fair and equitable principle, But, obviously, there are many details to be worked out. So, the Payments Council chaired by MAS will go about these deliberations with the different stakeholders. And I should add, the stakeholders, as I have mentioned earlier, also include players operating the communications infrastructure because we want to ensure that there is proper accountability across the entire ecosystem.

Mr Speaker: Ms Foo Mee Har.

Ms Foo Mee Har (West Coast): Thank you, Mr Speaker. I thank the Ministers for their comprehensive replies. I agree with the Minister that we need to adopt an ecosystem approach to tackle banking scams. I have two supplementary questions for the Minister for Finance.

First, given the unprecedented wave of online banking frauds hitting consumers – actually, not just in Singapore, we have read about such accounts in the UK and around the world – may I ask how does MAS fare in terms of anti-scam controls, compared to some of the best practices in other jurisdictions to protect the interests of our consumers?

Sir, the second question relates back to the new framework being debated to establish how losses behind scams are to be shared between consumers and financial institutions. I want to ask, specifically, whether MAS will be imposing a set of minimum standards for the banks' fraud surveillance system to better protect consumers.

Mr Lawrence Wong: Mr Speaker, I thank Ms Foo Mee Har for the very important question. MAS' approach and what MAS has done so far has, in fact, gone beyond the usual practices among financial regulators. In major jurisdictions, regulators do not themselves prescribe the specific anti-scam controls for the banks. Instead, they take a supervisory approach, which means they set up the broad supervisory expectations of the banks, then they place the responsibility on the banks to develop the specific anti-scam measures. Then, the regulators will assess the adequacy of these measures and they will impose penalties if the banks fall short of expectations. So, that is the approach that other regulators take, most regulators will take, and that is also the basic approach that MAS has undertaken.

But, as I mentioned, MAS has, in fact, gone beyond most regulators in being quite clear about its expectations, as well as the specific anti-scam measures that are required. Amongst the three local banks, this started last year, following MAS' focus supervisory review. Then, earlier this year, in January, as I mentioned just now, MAS and ABS put in place a comprehensive suite of measures and controls that will apply across all retail banks. That is, in fact, more than what major jurisdictions have in place.

And we are going beyond that, because, as I have highlighted in my speech, MAS is also considering and studying further enhancements to the measures that we can put in place across banks to reduce the risk across our digital banking channels. So, let me assure Members that MAS takes this work very seriously. It has been, and will continue to do everything it can, working together with other partners and stakeholders to strengthen the security across our digital banking channels and also across the entire digital ecosystem.

On the second question on the framework for the sharing of losses, I do not want to get into details because, as I have highlighted, this is still work in progress. But, as I mentioned just now, our intention is to clearly set out basic responsibilities expected of financial institutions. Indeed, if financial institutions were to fall short of these responsibilities, then they should bear their share of the losses. So, this is work in progress and we will put out the details in due course when we are ready.

Mr Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song (Aljunied): Sir, I have clarifications for the Minister for Communications and Information as well as the Minister for Finance.

For the Minister for Communications and Information, once the sender ID registry becomes a whitelist like what she described just now, will scammers still be able to send SMSes from overseas with the sender ID that is not registered in Singapore's registry? And if so, how would such scam messages be prevented? Secondly, is there a fast-track channel in which scam websites can be reported even by members of the public and blocked expeditiously?

For the Minister for Finance, recent scams have demonstrated that SMS is an insecure channel for sending either one-time passwords or hyperlinks. According to MAS' Technology Risk Assessment Guidelines to financial institutions, end-to-end encryption should be implemented for the transmission of customers' passwords. SMS is not an end-to-end encrypted channel. So, why is MAS not immediately prohibiting the use of SMS one-time passwords, especially to protect the less tech-savvy customers who are at risk of getting scammed?

Mrs Josephine Teo: Mr Speaker, I do not mean to be too technical, but to answer the Member's question, I will have to explain how the SMS service providers will interact with the SMS sender ID registry.

Basically, the SMS service providers will be approached by a party to say that here is a message that I would like to send to these numbers in Singapore. The imposition that we are making on the SMS Service provider is to look at the header that is being requested by the customer to send it under and check against the registry.

So, if a name already appears on the registry, then, regardless of who the customer is or where they are requesting this service from, as long as the name appears in the registry and this party's details do not match the other record in the registry in terms of their UEN, in terms of the path that they described, how they want to send the SMS across, then this business has to be turned away by the SMS service providers. So, the purpose of having the registry is to allow the SMS service providers to know whether this is a legitimate request and if these signs of legitimate requests are not matched, the requirement for the SMS service provider is to turn away the business.

So, I hope that that provides an answer to the Member's question.

Mr Lawrence Wong: Mr Speaker, on the use of SMS to deliver OTPs, I mentioned just now that we are reviewing this practice and, if we were to continue, whether potential measures should be taken to reduce the risk. I should highlight that, really, as I mentioned in my speech, there is no single measure that can guarantee the security of digital banking.

Issuance of SMS, even if it were to be done through a very safe and encrypted channel, for example, that would not stop deception from happening and, if the scam succeeds in identity theft, as has happened here, impersonating a bank, getting the person to think that this is, in fact, a genuine bank, then the person with the OTP will still provide the OTP to this scam website or scam account or whatever it is.

So, it is a broader issue that we have to look at holistically and, as I mentioned, we are determined and committed to this process to review the entire ecosystem and strengthen it.

Mr Speaker: Mr Don Wee.

Mr Don Wee (Chua Chu Kang): Mr Speaker, Sir, in Mandarin.

(In Mandarin): [Please refer to Vernacular Speech.] With the sharp increase in online fraud cases amidst the COVID-19 pandemic which has led to most institutions to minimise in-person transactions, will the Singapore Police Force step up collaboration and education efforts with SG Digital Office and the Silver Generation Office to reach out to and assist seniors, such as increasing its presence in the heartlands by setting up more SG Digital Community Hubs and sending out more Silver Generation Ambassadors to visit seniors at home? Many grandmas and grandpas are unable to understand how ScamShield works.

Mr Desmond Tan: I will reply in English and I will say a few remarks in Mandarin. I thank the Member for the question. Actually, Minister Josephine Teo has highlighted many of the measures that we have implemented in relation to helping our seniors go digital as well as to continue on our digital transformation journey. I think the question is a valid one in relation to how this incident may have affected some confidence, especially among our users and seniors. I want to emphasise that, as I had mentioned in my speech earlier on, the groups of people who are affected by scams are not just the seniors. In fact, our data showed that the younger people who have been transacting more online are more susceptible, or just as susceptible, to scams.

So, there are two areas that we need to focus on in relation to the Member's question.

One is how can we bolster confidence among our users? That is something that Minister Lawrence Wong, Minister Josephine Teo and I have been trying to explain and let Members know the measures that we are taking to make the digital space a safer environment for all of us to operate in.

The second area is to build a more resilient community in the use of the digital space. That is something that we have been working with the different stakeholders and partners – Government as well as the private sector – to strengthen.

More specific to Member Don Wee's question on the seniors' programme, we have introduced a number of programmes and, given this incident, we will continue to step up our outreach to our seniors to not just help them to acquire the skillsets but also to explain to them what are the telltale signs of scams and how to protect themselves from scams.

Today, the SDOs have done a good job in reaching out to 130,000 seniors in our community at the community centres, different libraries and so on. So, we will continue to step up these efforts.

I want to end off by saying that this education effort is an important one. We want to build a Smart Nation. We also want to build a Scam Smart Nation, where our people understand the telltale signs and to protect themselves and help one another.

(In Mandarin): [Please refer to Vernacular Speech.] Mr Speaker, Singapore has seen a rising number of scam cases in recent years. Therefore, MHA and other Ministries will do our best to work with community partners to strengthen prevention measures and raise awareness against scams.

In 2021, online phishing scams were on the rise. Scammers used various ways to mislead victims into revealing their personal information. Here, I urge everyone to stay alert and not to believe strangers easily, nor to share your personal information or even transfer money.

The public can also download ScamShield from Apple Store. Mr Don Wee said our grandmas and grandpas might not understand ScamShield. However, I believe that once they realise the benefits of ScamShield which offers them greater protection, they will be able to use digital platforms more confidently.

Mr Speaker: Ms Hazel Poa.

Ms Hazel Poa (Non-Constituency Member): Thank you, Mr Speaker. I thank the Ministers and the Ministries for the efforts that they have put in and continue to put in to prevent future scams. I have two supplementary questions.

Firstly, is MAS considering the contingency reimbursement model in the UK where banks reimburse scam victims which started on a voluntary basis but there are now plans to legislate it?

The second supplementary question: in working out the shared responsibility between banks and their customers, would MAS consider putting the onus more on the banks on the basis that: one, the banks are more tech-savvy and scam-savvy than the average bank customer and they have better resources to keep up-to-date with the latest tactics; two, it provides additional incentives on the banks to adopt a pre-emptive approach, for example, to consider the scam potential before pushing out new procedures or facilities; and thirdly, it is probably more cost-effective to focus on scam prevention efforts from the ends of a few banks rather than public education on a whole wide range of bank customers?

Mr Lawrence Wong: Mr Speaker, this must be my third question on the loss-sharing framework. I can appreciate that there is a lot of interest in this and, as I have said, it is a work-in-progress. But to quickly answer Ms Poa's two questions.

Number one: MAS will certainly look at models around the world in developing the details of this framework for the sharing of losses in an equitable fair share.

Number two: as the Member has highlighted, the responsibility will be different for individuals and financial institutions. We are very mindful that individuals have a different set of resources and capabilities, compared to financial institutions. So, in developing the specific responsibilities for individuals and financial institutions, we will certainly take that into consideration.

Mr Speaker: Mr Vikram Nair.

Mr Vikram Nair (Sembawang): Thank you, Mr Speaker. I have one clarification for the Senior Minister of State for Home Affairs. One of the issues with scams is that the perpetrators are normally based abroad. I just wanted to check whether there is any framework in place for us to actually cooperate with foreign agencies in order to identify the perpetrators and have them prosecuted for these actions?

Mr Desmond Tan: I thank the Member for the question. I mentioned in my speech that this is an area that MHA and SPF will continue to sharpen, to build our networks across the different foreign law enforcement agencies as well as working with Interpol to enhance our ability to respond and to investigate across jurisdictions.

At the same time, I also mentioned some of the difficulties, including how we can get our foreign law enforcement agency partners to work within their jurisdiction. And once the money has been transferred, there are also some difficulties as well. But it is an effort we will continue to do, as we have done in recent times, and we will step up this collaboration with the partners – foreign law enforcement agencies – to try and strengthen our enforcement as well as recovery of lost monies with the foreign banks as well.

Mr Speaker: Assoc Prof Jamus Lim.

Assoc Prof Jamus Jerome Lim (Sengkang): Thank you, Mr Speaker. I have two questions.

The first is for Minister Lawrence Wong. I wonder if the Ministry has plans to introduce complementary legislation to bolster the additional regulatory actions that he has already proposed and the reasons are, because while regulation is often useful for guiding actions, to use the example Minister Lawrence Wong raised earlier about allowing certain transactions to be disputed, without the force of law, it might still fail to adequately ensure an equal distribution of liability even in the presence of, as he described, the fair, equitable framework.

Using the same example, if I may, requiring charges above $50 to be subject to dispute under the Fair Credit Billing Act in the US has meant that financial institutions have, actually, been a lot more proactive in deploying fraud detection systems and securing fraud insurance. This is something that Member Hazel Poa has mentioned as well.

My second question is for Minister Josephine Teo and it is to ask if there are plans to comprehensively audit the compliance of technology systems with their official safeguards. I say this because, in a recent little experiment with my Sengkang colleague, Louis Chua, we tried to test the limits of the PayNow system, as applied by banks. The stated PayNow transfer limit, in the absence of additional authentication via token, is meant to be $1,000. However, we were able to transfer sums in excess of this amount just by instantaneously changing the daily transfer limits, and, again, without any two-factor authentication beyond the PIN prior to executing the transfer. Others have reported similar lapses in banks' checks and balances in guaranteeing customer security. One banking customer, writing to The Straits Times, shared that they were able to breach the credit limit by 1.8 times in transactions occurring over multiple countries in foreign currencies without the incident being flagged.

Mr Lawrence Wong: Mr Speaker, in developing any new measures, MAS will want to ensure that these measures are effective – effective in reducing the risk in our banking system, effective in implementation. And if new legislation is necessary or amendments to the laws are necessary, we will certainly not rule out those options.

Mrs Josephine Teo: Mr Speaker, there are two parts to the Member's question. One is in terms of the banks' information systems, IT systems, we classify them as part of our critical information infrastructure. As a result of this classification, they are subject to higher requirements and also regular audits. So, earlier on, when I had explained, and Minister Lawrence Wong had also explained why this was not a cyber attack or cybersecurity breach, that has to do with the kind of defences that are part of the banking system being a critical information infrastructure. Is it subject to regular audits? It has to be. Otherwise, we would not know whether the cyber defences that are intended to be put up are, in fact, effectively done. So, that part is done.

But I would always caution that this is not something you brag about. Just because the system is sound at any point in time does not mean it is not continuously being subject to testing. And whether it is banks, whether it is our telcos, as part of the operators of our critical information infrastructure, they always also have to conduct their own penetration testing, in order to assure themselves that there are no vulnerabilities or gaps that are glaring and that have not been patched. So, that is one part of it.

The second part of it, and his experiment with Mr Louis Chua using PayNow, I think it is very similar to what Dr Tan Wu Meng had already suggested earlier, whether you would consider subjecting your own banking processes to white hat scammers. And I think Minister Lawrence Wong had already responded to that question to say that the answer is yes; it is a good suggestion. And we should be seriously thinking about how to do so.

Mr Speaker: Mr Ang Wei Neng.

Mr Ang Wei Neng (West Coast): Thank you, Speaker. I thank the Ministers and the Minister of State for their comprehensive replies. I would like to ask a couple of supplementary questions. We understand from Minister of State Desmond Tan that once the money is transferred out of Singapore during an Internet scam, it is almost as good as gone.

So, I would like to ask the Minister for Finance what the proportion of Internet transfers is involving accounts overseas. Is it possible for the local user to opt, by default, to not allow the transfer of money out to overseas, unless authorised otherwise with the two-step verification? This is similar to what local mobile phone users do, where they can disable the auto-roaming so as to minimise the cost.

Secondly, when banks are alerted to the significant increase in banking scams, can the bank deactivate all overseas bank transfers for a short period, so as to minimise the scam's impact?

Mr Lawrence Wong: Mr Speaker, the short answers to both questions are yes. As I have mentioned in my speech, MAS is, indeed, looking to introduce additional customer confirmations for higher-risk transactions, and that would include fund transfers that are large, relative to the overall balances, as well as overseas transfers, recognising that once the funds leave our local banking system, they are very hard to recover, indeed.

So, as I have mentioned, these are additional strengthening and enhancements we are looking at, which will require customer confirmation. It will add friction to the transaction for genuine customers but we hope that everyone understands that these inconveniences are necessary to have a safer digital banking system in Singapore.

The second point about having a cooling-off period, if the banks are aware of the scam and whether or not they can put in place some cooling-off periods, indeed, that is something that has been done. And we will continue to look at how these sorts of measures and safeguards can be strengthened.

Mr Speaker: Ms Yeo Wan Ling.

Ms Yeo Wan Ling (Pasir Ris-Punggol): I thank the Ministers for their comprehensive replies. I would like to follow up on the hon Member Ms Foo Mee Har's question on anti-scam standards set by MOF.

My residents who came to me to seek help on the recent OCBC bank scam incident shared that information from the bank during the investigation process and the support during the processes itself, were found wanting. Many of them had interactions only with the call centre staff and this has left them very afraid and stressed and, indeed, worried that their life savings were kept in limbo.

So, I would like to ask if the Ministry, or the agencies in charge of this, will be putting in standards and requirements for the banks in the management of scam victims during the investigation process.

Mr Lawrence Wong: Mr Speaker, again, the short answer is yes. But I should clarify the standards are not set by MOF; they are set by the Monetary Authority of Singapore (MAS) and I am speaking also in my capacity as the Deputy Chairman of MAS. This is under MAS' purview.

As I explained in my speech just now, we have assessed that OCBC itself, in this incident, could have done better. There were areas, in terms of its responses to customers, which, certainly, could be improved. That is why we are reviewing the conduct of OCBC, and we will take the appropriate actions. That is for the OCBC incident.

But with regard to standards, expectations and responsibilities, these are in place today for all the retail banks and we will continue to review and ensure that these standards are set in such a way that provide assurances to customers and hold the banks accountable to meeting these high standards.

Mr Speaker: Mr Melvin Yong.

Mr Melvin Yong Yik Chye (Radin Mas): Thank you, Mr Speaker. It is sobering to learn that our current anti-scam systems are blocking millions of scam calls each month. I would like to ask Minister Josephine Teo whether this useful protective filter extends to blocking scam calls made using Voice over Internet Protocol (VoIP), which allows calls to be made over the Internet as well as telecommunications applications, such as WhatsApp call, which is also becoming very popular even among our seniors. If not, are there any plans by the Ministry to safeguard these channels?

Mrs Josephine Teo: Mr Speaker, as a general point, we are constantly looking at what channels are being exploited for scams to be perpetrated. But the Member is right. The current call blocking, as well as the website blocking, is now mainly done through Domain Name System (DNS) blocking. So, unless my technical understanding is flawed, and I would have to check this up, my understanding is that it does not block VoIP calls. But I will have to get back to him properly.

Mr Speaker: Order. Business Motion. Leader.