Implementation of the new Shared Responsibility Framework and its impact on financial institutions

The SRF highlights the duties of account users and responsible FIs, to ensure a common baseline protection from unauthorised or erroneous transactions. With the implementation of the SRF, account users, FIs and Telcos will need to put in place preventive measures to counter digital scams. The realisation of SRF will impact account users, FIs and Telcos to collectively reduce scam risks in the following ways:

• Account users will see an increase in preventive measures by FIs and Telcos on digital security for significant account activities.
• FIs will need to re-look at their current anti-fraud operating model to establish preventive and detective surveillance mechanisms to counter unauthorised transactions and phishing scams.
• Telcos will need to take on shared responsibility for fraud losses and ensure that they put in place scam disruption measures within the Short Message Services (“SMS”) communication networks that reduce the risks of scam SMS being delivered to consumers.

The waterfall approach established by the SRF for determining liability in scam-related losses creates a structured framework for sharing responsibility among FIs, Telcos, and consumers. The key features of the waterfall approach are segregated as follows:

The financial sector will undergo a transformative phase with the introduction of the SRF. This regulatory shift aims to redefine accountability and risk management within FIs, leading to significant implications for governance, operational practices, and customer relations. The following outline the key implications to FIs:

1. Anti-fraud framework

FIs should establish a comprehensive risk management framework that includes specific provisions for fraud risk and are expected to regularly perform fraud risk assessments to identify fraud vulnerabilities in the organisation and tailor its internal controls (both preventive and detective) accordingly. FIs should have in place robust controls that help to facilitate the prevention and detection of unauthorised transactions arising from digital scams. The framework would also need to include the response plan to address incidents of unauthorised transactions through investigations, ensuring accountability to account users and regulatory bodies. This would enable FIs to be able to mitigate the risks arising from digital scams.

2. Roles and responsibilities

The SRF clarifies roles and responsibilities among FIs, Telcos and account users in mitigating the risk of unauthorised transactions. FIs should enhance accountability within the organisation itself. The board and senior management play a critical oversight role in ensuring that robust policies and strategies are in place and updated regularly to mitigate fraud risks. Clear policies and procedures must be established to facilitate the prompt reporting of suspected fraud incidents to the regulatory bodies.

3. Training and upskilling

FIs are expected to re-evaluate their operational frameworks to align with the SRF. This could involve restructuring teams, investing in new technologies, and enhancing training programmes to ensure staff are equipped to handle the new responsibilities. The board and senior management should stay up to date with the latest fraud regulations and guidelines regarding fraud prevention, reporting and ensure that the organisation’s internal controls and anti-fraud framework stay relevant to combat new fraud typologies. Employees should be trained on the use of fraud detection techniques to identify key fraud trends, red flags and suspicious transactions. A culture of fraud awareness through training programmes employees at all levels and continuous training is integral to prevent and detect fraud proactively.

4. Operations – Investigations and outcome

FIs will need to set up an investigation taskforce, independent of business units, to conduct investigations when processing claims on unauthorised transactions. FIs should outline clearly the governance structure of the investigation taskforce as well as the policies and procedures detailing the investigation process and assessment.

5. Operations – Recourse plan

FIs will need to establish a clearly defined recourse plan to address claims pursued by account users in scenarios where the responsible FI has assessed that the claim falls outside of the SRF Guidelines. This would include detailed policies and procedures, clearly defined roles and responsibilities and effective communication strategies to account users, management and regulatory bodies.

6. Tools and technology

The SRF encourages FIs to leverage on technology to improve their risk management processes. This includes adopting advanced analytics and automated systems for real-time monitoring and reporting. Responsible FIs are required to implement the following:

• Real-time fraud surveillance mechanisms to detect unauthorised transactions and phishing scams by June 2025. These include blocking the online banking payment transactions when it crosses a certain threshold until further verification from the account holder as well as sending a notification to the account holder while blocking or holding unauthorised transactions for at least 24 hours.
• 12-hour cooling off period for limiting high-risk activities following the activation of a digital security token on a device or when there is a login to a protected account on a new device.
• Providing real-time notifications and alerts for significant account activities to the account holder when the digital security token is activated, login to protected account on a new device or any high-risk activities performed on a protected account.
• Providing real-time outgoing transaction notification alerts for all outgoing payment transactions.
• 24/7 reporting channel with a self-service feature to promptly block mobile and online access to the account user’s protected account (“kill switch”).
  

7. Customer awareness

Account users are required to exercise greater cyber hygiene, such as refrain from accessing clickable links in SMS or emails and the need to leverage on official sources for information, while FIs need to look towards building greater awareness for account users to safeguard their account credentials.