I went to the Singapore Fintech Festival to see what was going in the dynamic Asia-Pacific market and I was not disappointed. While I was very interested in the discussions around delivering financial health, what interested me the most was the nation’s new initiative on fraud. In a couple of weeks’ time, the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) are going implement the new Shared Responsibility Framework (SRF) for dealing with the victims of phishing scams.
Shared Responsibility For Fraud
Under the SRF, MAS and IMDA have established specific duties for FIs, PSPs and telcos, designed to directly combat phishing scams. This interests me because it is what banks are calling for in other jurisdictions (including the UK) where the banks quite rightly object to being forced to compensate customers who have fallen prey to scammers when other market participants, particularly social media platforms, do nothing to prevent these activities (in fact, it can be argued that they facilitate them).
In the UK consumers lost nearly half a billion pounds to authorised push payment (APP) fraud last year, according to trade body UK Finance, more than two-thirds of which involved goods that were ordered online by consumers but did not arrive. Most purchase fraud comes from false adverts on social media platforms including Facebook Marketplace, according to Lloyds Banking Group and TSB. In the first half of this year, four-fifths of all TSB fraud cases involving some kind of manipulation or coercion (they refer to it as “social engineering”) came from Meta, either through Instagram, Facebook or WhatsApp.
(Interestingly, the latest figures from the UK show losses due to authorised push payment fraud, characteristic of these scams, were down some 11% while unauthorised card payment fraud went up 5% in the same period.)
While in the UK, four in 10 victims of fraud are already compensated by their bank (compared with 32 per cent in the US, 15 per cent in Japan and 14 per cent in Germany,), the UK’s Payment Services Regulator (PSR) extended what is known as the “contingent reimbursement model” (CRM) that was revised earlier this year to require sending PSPs to reimburse all customers who fall victim to APP fraud in most cases, splitting the cost of the reimbursement between the sending and receiving PSPs. It also requires PSPs to provide additional protection for vulnerable customers (which some people, including me, think will lead to de-banking of vulnerable customers because of the expenses involved). Given that data shows that almost all APP fraud starts online or over the phone, through social media, fake messages and calls, there was considerable unhappiness in the banking sector that the technology and telecommunications providers would not be required share the costs for reimbursing victims. In the end the regulator stood firm and the costs fall wholly on the banks.
(There was some softening in the rules though. The PSR originally proposed a maximum reimbursement level of £415,000 while PSPs were lobbying for something more like the £30,000 average loss to the frauds. The level was eventually set at £85,000 for no logical reason other than that it is the same as the deposit protection limit for consumer bank accounts.)
The banks have long been asking why they have to carry the can when most of the frauds they see originate on social media platforms that could do a little more to validate their participants and are facilitated by telcos that allow number spoofing. And, frankly they have a point. How will raiding banks help to reduce fraud? I haven’t the slightest idea.
In response to all of this, the UK payments regulator has already said that social media groups must do more in the “war of attrition” against financial fraud on their sites and further said that the government should consider making platforms liable for compensation to victims. This why the banks are looking at other jurisdictions, such as Australia and Singapore, to explore different (and what lawyer Jenny Stainsby rightly called “more balanced”) models for compensation. Things are happening. Last year, for example, a number of technology and social media firms signed up to a UK Online Fraud Charter to try to do something about scams. This is a good first step, as the ecosystem needs co-ordinated action but as David Callington (HSBC UK’s head of fraud) says, Big Tech needs financial incentives to make real change.
The Singaporean Approach To Fraud
This is why the Singaporean approach is so interesting to observers in many other countries who are studying the new framework. The essence of the new approach is that financial institutions and other ecosstem participants may have to share in reimbursing victims depending on whether the participants fail to perform their duties. Overall, banks have to fulfil five key duties, and telcos three key ones, under the SRF. If these organisations do what is necessary under the framework, consumers will bear the full losses. A few key points of this framework are:
- A 12-hour cooling-off period after new device logins to e-wallets, reducing the risk of unauthorized access.
- Real-time alerts for new device logins, contact detail changes, transaction limit increases, the addition of new payees and such like, allowing consumers to respond swiftly to suspicious activity.
- A 24/7 self-service “kill switch,” accessible by phone or app, enabling consumers to immediately block account access if unauthorized activity is suspected.
These all seem like sensible policies given the current state of things. Fintechs should not be able to evade their responsibilities for protecting consumers (caveat emptor makes no sense in the social media era) but neither should one set of marketplace participants be made to bear full responsibility for frauds that are not their fault. And if the regulators do want to take action that will have real impact on the scale and scope of fraud they should start by bring digital identity to the mass market so that not only does the bank know that it is really dealing with you, but you know that you are really dealing with the bank.
Read the full article here