Data on Credit Card Fraud and Quantum of Losses

93 Mr Desmond Choo asked the Prime Minister and Minister for Finance (a) how many cases of credit card fraud have been reported over the past three years; (b) what is the quantum of losses; and (c) whether the Ministry will consider a framework similar to that of the Shared Responsibility Framework to set out the responsibilities of banks in credit card fraud, especially in clarifying what constitutes an act of gross negligence by the cardholder and the reasonable timeframe for notification of credit card fraud.

Mr Gan Kim Yong (for the Prime Minister): According to statistics compiled by the Singapore Police Force, an average of 790 cases of credit card fraud were reported per year from 2021 to 2023, with an average loss per year of $2.1 million. The safeguards against credit card fraud put in place by global card schemes, such as those operated by Visa and Mastercard and card issuers, such as banks, have strengthened over time.

Card scheme operators have established the 3-D Secure protocol, or 3DS, as an added layer of security for online credit card transactions. This requires cardholders to separately authenticate the transaction, meaning that transactions cannot proceed with just static card details like the card number, expiry date and Card Verification Value code.

Banks have strengthened existing measures to protect consumers from card fraud, such as real-time card transaction monitoring, and will notify card users where possible fraudulent transactions are picked up. Cardholders should promptly contact the bank if they are notified of any unauthorised transactions. Banks are also moving away from SMS One-Time Passwords (OTPs), to push notifications on the digital tokens of banking apps to authenticate 3DS transactions, which cannot be phished, unlike SMS OTPs.

The Shared Responsibility Framework is not suitable in the context of credit card fraud. There are already well-established rules protecting credit card holders and limiting their liability in the event of fraud.

Consumers are protected under The Association of Banks in Singapore Code of Practice for Banks – Credit Cards, where the maximum liability due to unauthorised transactions is $100, provided the cardholder has not acted fraudulently and was not grossly negligent and has reported the unauthorised transactions to the card issuing bank as soon as reasonably practicable. This is to cater to situations, such as when a cardholder loses his physical card but promptly reports the loss to the Police and the bank. This $100 limit will not apply to a cardholder who unwittingly authenticates a 3DS transaction that turns out to be fraudulent, as that would be considered negligent.

Consumers are also protected under the chargeback mechanism from card scheme rules, that allows credit card holders to dispute a charge and request for their money back. In a case of a disputed online transaction, the card issuer will investigate the facts of the case. For example, if the merchant had not enabled 3DS and a transaction was put through without 3DS authentication, the cardholder would generally not be liable.

Card schemes and card issuers have in place mechanisms to combat credit card fraud, protect consumers and limit their liability. Members of the public should also play their part and remain vigilant in safeguarding their cards and card information, monitoring their card transactions regularly and promptly notify their card issuers of the loss or theft of their cards or any unauthorised transactions.