SINGAPORE – Victims misled into giving out their banking details in phishing scams are often responsible for the funds lost, especially if bank information technology systems are up to mark and not compromised, say lawyers.
However, financial institutions can be held liable if they are found to be negligent or have breached their contracts with customers, such as by not patching their systems regularly.
Mr Marshall Lim, a partner at RHTLaw Asia, said a bank’s responsibility to customers is typically spelt out in the terms of contract, which limits their obligations to customers.
“If that is the case, the banks may not be responsible for money that you have lost through fraud especially if you had authorised the transaction, and even if you were tricked into doing so,” added Mr Lim.
This includes situations like phishing scams, where the messages and e-mails customers receive appear legitimate and may even seem to come directly from the bank.
Pinsent Masons MPillay lawyer Bryan Tan said: “The only way to reverse the liability on a customer is if the bank knew about the fraud or facilitated it, or vice versa.”
In this scenario, it would be a matter of how the liability is shared.
Their comments comein the wake of a spate of SMS scams.
A police statement on Dec 30 revealed that nearly 470 OCBC Bank customers had lost at least $8.5 million since the beginning of December to scammers sending unsolicited SMSes to victims, claiming there were issues with their banking accounts.
The text directed bank customers to click on a link in the message to resolve the issue, which led to fake bank websites where victims keyed in their Internet banking account login details.
Victims said they were fooled because the fake SMS texts had appeared in the same message thread as the genuine ones OCBC previously sent to customers for one-time passwords or transaction alerts.
The bank, in a statement on Dec 23, said the scammers could do this because they had spoofed the name of the sender of the scam texts as OCBC.
This enabled them to group fake messages with the genuine SMSes.
Mr Steven Lam, a director at Templars Law, said customers may not be able to claim against a bank if they shared their OTPs or had logged on to websites without checking if they are genuine.
Mr Tan noted that banks’ terms and conditions usually exclude liability for the uncertainty in electronic communications, such as delays in delivering messages about transactions which could have alerted a customer of suspicious activities.
One victim who spoke to ST said there was a more than three-hour delay between the time the bank sent him a genuine text message to alert him to some transactions and when he received it.
If the victim of a fraudulent transfer reports the matter to the bank and the financial institution takes a very long time to freeze the affected bank account, Mr Lam said that the bank could be seen as being negligent for not acting fast enough.
But, again, the bank might have exclusion clauses that seek to remove responsibility from the bank for its slow action.
Still, “it’s for the courts to decide if the bank’s exclusion clauses are reasonable”, said Mr Lam.
Another instance in which a bank might be considered negligent when fraud happens is if the bank’s IT system does not meet industry standards, such as not patching software regularly, which then allows hackers to compromise the system.
However, if a bank’s risk detection system fails to detect fraudulent transactions but the system satisfies industry requirements, the bank might not be negligent, said Mr Lam.
Better safeguards for victims of fraud are on the cards.
The Monetary Authority of Singapore (MAS) is leading a task force to review how to apportion the liability of a fraudulent online transaction between affected consumers and financial firms.
Announced in July last year (2021), the task force will also review practices that the financial industry can put in place to better protect consumers against scams and fraudulent transactions.
Mr Lam said that the task force could consider the possibility of insurance coverage to protect against fraudulent transfers but this would mean more costs which could be passed to consumers.
“Alternatively, multiple steps of verification could be put in place but this also means more costs and greater inconvenience,” he added.
In a written parliamentary reply on Monday (Jan 10), Mr Tharman Shanmugaratnam, Senior Minister and Minister-in-charge of MAS, said that the Government is coordinating its efforts to address the growing scam threat through the Inter-Ministry Committee on Scams.
“One key area of progress has been the strengthening of funds recovery for victims of such scams. The Singapore Police Force works with banks in Singapore to freeze, within one day, domestic bank accounts receiving scam monies,” said Mr Tharman.
But he added that freezing overseas accounts is more challenging as it involves agencies in different jurisdictions.
But there has been some progress made recently, said Mr Tharman.
For example, between June and Sept 2021, the Singapore Police Force worked with its international law enforcement counterparts to smash 10 transnational syndicates.
The syndicates, which were involved in job scams, Internet love scams and impersonation scams, were busted by the Royal Malaysian Police and the Hong Kong Police Force.