SINGAPORE — Authorities need to find the “right approach” before malware scams can be included in a proposed framework that determines who is liable for scam losses, Singapore’s central bank chief Ravi Menon said in an interview with CNA.
Acknowledging that the exclusion of malware scams may be disappointing for some, he stressed that MAS is “very concerned” about these scams and discussions on safeguards are ongoing.
The Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) on Oct 25 put out a long-awaited consultation paper, which proposed that financial institutions and telecommunication companies that were negligent bear the responsibility of scam losses ahead of victims.
As a start, the framework focuses on phishing scams that happen digitally. This means that other scams, such as investment or love scams where victims authorise payments to scammers, and malware fraud are excluded.
Malware scams – where victims are duped into downloading and installing malicious apps that allow fraudsters to take control of their devices – are “particularly worrying”, said Mr Menon in a wide-ranging interview with CNA ahead of the annual Singapore FinTech Festival from Nov 15 to 17.
Police statistics show that more than 1,400 victims lost at least S$20.6 million (US$15 million) to malware scams between January and August. Almost half of these scams happened in the last two months of the period.
“The number of malware scams is smaller than other scams but the number is growing, and we are very concerned about it. We’ve been discussing with the banks the safeguards and measures that can be put in place against malware scams,” he said.
“Malware scams are not part of this shared responsibility framework. I know people will be disappointed with this but … we need to get the right approach towards such scams before we can put it in the framework.”
For now, some safeguards are in place. At least four major retail banks have rolled out anti-malware controls that restrict customers’ access to their apps if potentially risky apps downloaded from unofficial portals are detected on customers’ phones.
Banks are also looking to introduce a “money lock” feature that allows customers to block their savings from digital transactions.
These safeguards will inevitably result in some inconvenience and friction in the consumer banking experience, but Mr Menon called for consumers to understand the need for “a trade-off between security and convenience”.
“We’ve got lots of convenience in our payment system today. Digital payments were wonderfully helpful during COVID-19 but now with these risks emerging, especially the malware scams, we do need to recalibrate towards security.”
‘I HEAR CONCERNS’
The development of the shared responsibility framework was first announced in February 2022 after close to 800 OCBC customers lost a combined S$13.7 million to scammers in phishing scams conducted via SMS.
MAS said then it would publish a draft framework to consider how the liability for scam losses can be shared between financial institutions and victims within three months. But that took “longer than expected” due to the complexity of the issues involved, it said in later parliamentary replies.
The inclusion of telcos and infrastructure service providers under the proposed framework makes Singapore the first to do so, the authorities said in the consultation paper.
Asked when telcos were included in the discussions and if that was a reason why the draft framework took longer than expected, Mr Menon said: “Actually, as early as the middle of last year, by and large most of what you saw being released was already settled.
“But we came to the realisation … that you need an ecosystem defence against scams. So, it’s not just the customers and the banks, but a range of players in the system.”
Telcos play an important role given how they are the channels through which SMSes are transmitted. As SMSes remain a “vital tool” that is still in use, there is a need to address the gaps in that space, he added.
Authorities were also in “deep discussions” with social media platforms and others in the ecosystem to explore how these companies can “exercise greater responsibility” over how their platforms are being used.
“But we don’t have regulatory levers over them. Where we do have regulatory levers are the financial institutions, payment system providers and the telcos.”
The move to expand the framework to incorporate telcos “took a while”.
“Because you need to reach out to them, get them to understand the issues and then work out with them what is feasible, what is it that they can do by way of safeguards. At the same time, you don’t want to put them in an impossible spot where they bear liabilities unfairly,” Mr Menon told CNA.
“We had to work out a lot of details. Personally, I think it took longer than any of us would have liked but I’m glad we’ve got a framework in place.”
Authorities have said the framework, which is targeted to be rolled out next year, aims to increase the accountability of financial institutions and telcos to their consumers, as well as preserve confidence in digital payments and digital banking in Singapore.
This confidence could be undermined if scams, particularly those involving unauthorised transactions, continue to increase. These currently make up about one-quarter of all scam cases, with the rest involving authorised transactions such as investment and love scams.
“We’re concerned because on top of the human suffering, is the fact that these transfers are being made without the victim’s knowledge or consent,” said Mr Menon. “And if that grows, you start losing confidence in digital banking. That’s a very serious matter.”
Presently, confidence remains intact but concerns and anxieties are emerging.
“I hear concerns. Well, I am concerned too. I check my phone all the time to make sure it’s not been infected and I run my malware protections and so on,” he said.
“There’s clearly more anxiety. We need to acknowledge that … We don’t want the anxiety to escalate into a loss of confidence. Because once confidence is lost, people will retreat from the digital economy.
“So, we’re not there … but we need to address this early, which is why we are taking this very seriously and we need to find solutions for malware scams,” added the central bank chief.
DBS ‘SHOULD BE ABLE TO FIX’ ISSUES
Mr Menon was also asked about a string of service disruptions that have hit several banks, including DBS, Singapore’s largest lender.
The most recent occurred on Oct 14 when digital banking services at DBS and Citibank were disrupted for hours due to a technical issue with the cooling system at a data centre.
DBS has had at least three other disruptions on its digital platforms this year.
Mr Menon said he does not think the outages in Singapore were “exceptional” and “badly off” based on the four requirements that MAS has for banks – frequency of outages, recoverability, communication to customers and contingency plans.
“Maybe I’ll call out the elephant in the room. Why are people so upset? Because the largest bank in the country, which has the largest number of customers, has unfortunately had more disruptions,” he said.
“If you remove that from the picture, I don’t think digital banking disruptions in Singapore are more frequent than elsewhere.”
The regulator on Wednesday (Nov 1) barred DBS from acquiring new business ventures for six months. The bank is also not allowed to make non-essential IT changes or reduce the size of its branch and ATM networks in Singapore.
This will be in force until “MAS is satisfied with the progress of the bank’s remediation plan”, it said.
In his interview with CNA which took place before the announcement, Mr Menon said: “The board and senior management of DBS are taking this very seriously … They know this is a huge issue and they need to fix it.”
“There are some deeper-seated issues that need to be resolved and they will be. The good thing is the bank is committed,” he added.
“This is a bank with strong digital capabilities but they have some problems they need to fix on the IT architecture and recovery processes. But it is a digitally strong bank so they should be able to fix it.” CNA
ADDITIONAL REPORTING BY ELIZABETH NEO