MAS to publish framework on liability for scam losses, says OCBC goodwill payouts one-off gesture, not a precedent, Latest Business News - The New Paper

MAS to publish framework on liability for scam losses, says OCBC goodwill payouts one-off gesture, not a precedent

This article is more than 12 months old

Within the next three months, the authorities could reveal a framework that spells out how losses from scams are to be shared between consumers and financial institutions.

This comes as the Monetary Authority of Singapore (MAS) asserted yesterday that all parties must shoulder their responsibility in fighting scams.

OCBC recently made goodwill payments to fully refund its 790 customers who lost $13.7 million to fraudsters who spoofed the bank's name and sent fake SMSes with phishing links to victims.

The financial sector regulator said on Friday (Feb 4) that OCBC's payouts were a one-off gesture by the bank, considering the circumstances, such as how the bank had not met its own expectations of customer service and response.

"They do not set a general precedent for future cases," said MAS.

Some OCBC customers claimed that it took so long to get through to a person on OCBC's hotline that, by the time the bank was able to take action, the scammers had siphoned much of their funds.

MAS is leading a task force, called the Payments Council, to review practices that the financial industry can put in place to better protect consumers.

It was mentioned in July 2021 that this includes a review of how to apportion the liability of a fraudulent online transaction.

MAS said on Friday that "all parties have responsibilities to be vigilant and to take precautions against scams". For example, financial institutions must have measures to safeguard customer accounts, and detect and respond to suspicious transactions.

Customers have to take precautions, such as not giving personal or banking details to anyone. They should never click on links in SMSes or e-mails that seemingly come from a bank, and should transact only through the bank's official website or mobile app.

The proportion of losses each party bears "will depend on whether and how the party has fallen short of its responsibilities", said the authority.

MAS said it will be seeking public feedback on this framework, including responsibilities of other key parties involved.

Currently, victims misled into giving out their banking details in phishing scams are often held responsible for the funds lost, especially if the bank's information technology system has not been compromised, lawyers said.

But banks might have to bear scam losses in cases where they failed to take reasonable care while the customers took steps to protect their interests, said lawyer Steven Lam, a director at Templars Law.

This includes instances where banks failed to adopt proper safety and due diligence protocols, or failed to adopt internationally recognised good practices.

As for other key parties who may be covered by the framework, lawyer Bryan Tan, a partner at Pinsent Masons MPillay, said one issue is whether MAS can regulate them.

Cyber-security experts have said telcos have a role to play in fighting SMS scams. But it is unclear if they are being considered in MAS' framework.

Mr Tan said the issue of other parties' liability is tricky: "While SMS is a relatively inexpensive service, it could lead to large consequential losses far in excess of their service value." This could make insuring SMS services more costly.