![Image]()
Real-time notification alerts: Responsible FIs must provide real-time notification alerts for the activation of a digital security token or login to a protected account on a new device, and for the conduct of high-risk activities.
Outgoing transaction notifications: Real-time notification alerts for all outgoing payment transactions made from the protected account.
24/7 reporting channel and kill switch: Responsible FIs must offer a 24/7 reporting channel and a self-service feature (a "kill switch") that consumers can self-activate to immediately block their account and prevent further unauthorized transactions.
Fraud surveillance: In response to feedback, an additional duty requires Responsible FIs to implement real-time fraud surveillance directed at detecting unauthorized transactions in a phishing scam that results in an account being rapidly drained of a material sum to a scammer, and to block or hold such transactions until further verification from the consumer.
The MAS will allow a 6-month transition period from the date of the SRF’s implementation for Responsible FIs to be held to the fraud surveillance duty, as this was not within the four Responsible FI duties originally consulted on, so this duty will take effect on June 16, 2025.
Responsible Telcos
- Authorized aggregators: Responsible Telcos must connect only to authorized aggregators for the delivery of Sender ID SMSs to ensure these SMSs originate from bona fide senders registered with the SMS Sender ID Registry.
- Blocking unauthorized SMS: Responsible Telcos are required to block Sender ID SMSs which are not from authorized aggregators to prevent delivery of Sender ID SMSs originating from unauthorized SMS networks.
- Anti-scam filter: An anti-scam filter must be implemented over all SMSs to block SMSs containing malicious URL in a designated database.
Waterfall reimbursement approach
The SRF adopts a "waterfall approach" to determine which party is to bear the risk of loss arising from an in-scope unauthorized payment transaction:
- The Responsible FI is first in line and is expected to compensate the victim for their entire loss if it has breached any of its obligations under the SRF.
- If the Responsible FI fulfills all of its obligations and the Responsible Telco is assessed to have breached any of its obligations under the SRF, the Responsible Telco is expected to bear the full loss and compensate the victim accordingly.
- If both the Responsible FI and the Responsible Telco have carried out their SRF obligations, the consumer bears the full loss under the SRF. However, consumers can still seek recourse through other channels like the Financial Industry Disputes Resolution Centre (FIDReC) or civil courts.
The MAS and IMDA have confirmed that they will not introduce any liability cap for losses.
Operational workflow for handling claims
The SRF sets out a four-stage operational workflow for handling claims:
- Claim stage: The Responsible FI is the first and overall point of contact with the consumer. It will assess if the claim falls within the SRF's scope and inform the Responsible Telco where applicable. The consumer should report any unauthorized activity to the Responsible FI as soon as practicable, and no later than 30 calendar days from when the Responsible FI sends the notification alerts. The consumer should also provide a valid email address and any other supporting information, such as a police report and digital communication trail(s), within 3 calendar days from the date of notification to the Responsible FI.
- Investigation stage: The Responsible FI and Responsible Telco (where applicable) will conduct the investigation concurrently and independently to determine whether each of them has fulfilled their obligations under the SRF. The Responsible FI and Responsible Telco should complete the investigation within 21 business days for straightforward cases or 45 business days for complex cases.
- Outcome stage: The Responsible FI will inform the consumer of the investigation outcome and the assessment of the consumer's responsibility. The Responsible FI should seek acknowledgement from the consumer of the investigation outcome.
- Recourse stage: Where a consumer is dissatisfied with the outcome, he or she may pursue further action through avenues of recourse such as the FIDReC or civil courts.
Enhancements to the E-payments User Protection Guidelines
The SRF will be complemented by the updated E-payments User Protection Guidelines (EUPG), which set out the expectations of the MAS of any Responsible FI that issues or operates a protected account, and of any user of protected accounts. The MAS will amend the EUPG to align with the SRF and to introduce additional duties for Responsible FIs and account users that go beyond the SRF. These include:
- A Responsible FI should not send clickable links or phone numbers to retail consumers unless the consumer is expecting it, and if the link is purely informational.
- The requirement to implement a consumer’s additional confirmation and tailored risk warnings for consumers before they perform high-risk activities.
- A new enhanced Responsible FI duty requiring Responsible FIs to have capabilities to detect and block suspicious transactions at all times.
Like the SFR, the revised EUPG took effect on December 16, 2024. That said, the MAS recognises that Responsible FIs will require some time to make operational arrangements for the new requirements of the EUPG not originally consulted on. In this regard, there will be a 6-month transition period for Responsible FIs to meet these additional requirements, including the duty to be able to detect and block suspicious transactions at all times, and these requirements will take effect on June 16, 2025.
Protection from Scams Bill
On January 7, 2025, a proposed new law granting authorities the power to order certain banks to restrict the banking transactions of potential scam victims passed its second of three readings in Singapore’s Parliament. The Protection from Scams Bill (the Bill) empowers the police, as a last resort, to issue Restriction Orders (ROs) to banks to restrict an individual’s banking transactions, if there is reasonable belief that the individual will be the victim of a “scam offence”. This will enable the police to better protect targets of ongoing scams who refuse to believe that they are being scammed. ROs can be used to suspend money transfers, the use of ATM facilities and all credit facilities, although individuals will still be able to access their money for legitimate reasons such as for daily living expenses and paying bills. The ROs will, by default, be issued to the seven Domestic Systemically Important Banks (DSIBs) in Singapore - DBS, OCBC, UOB, Citibank, HSBC, Maybank and Standard Chartered Bank — which are the major retail banks which manage most of the consumer deposits in Singapore. ROs can also be issued to non-DSIB banks should there be reasonable suspicion that a non-DSIB account is directly involved, i.e. there is reason to believe that a victim will make transfers from a non-DSIB account to a scammer.
An RO can remain in force for a maximum of 30 days initially, and may be renewed up to five times if necessary. The Bill includes an appeal process for individuals who believe they have been wrongly subject to an RO, and also addresses the potential involvement of third parties. The list of scam offences are set out in the Schedule to the Bill, which includes criteria for updating the Schedule with further offences that should fall within scope. A fine of up to SGD3,000 can be imposed on banks for contravening an RO without reasonable excuse.
Evolving approach to combat scams
The SRF and the Bill are part of a broader effort by the Singapore Government to combat scams and enhance consumer protection. The Government continues to work closely with industry players to refine anti-scam measures and adapt to the evolving threat landscape. Public education remains a critical component of this strategy, with targeted programs for vulnerable groups like the elderly.
Acknowledgments to John Hobbs, trainee with A&O Shearman's Financial Services Regulatory team in London, for his contribution to this post.