Phishing attacks are becoming more sophisticated than ever before, causing significant financial losses to consumers and businesses worldwide. Ready-to-use “phish kits” are now widely available on the Dark Web, enabling any novice fraudster to impersonate websites with ease to steal users’ credentials. To deal with this threat, governments across the world are implementing new “shared responsibility” models that shift the blame from victims alone to every stakeholder, including financial institutions and telecommunications operators.
The latest country to do this is Singapore, which last year introduced its new Shared Responsibility Framework (SRF) in an effort to compel banks and telecoms firms to take action to mitigate phishing-based scams.
Under the SRF, financial institutions and telcos are required to implement a number of safeguards to protect and monitor fraudulent activities, as well as scam filtering tools and real-time alerts to warn consumers.
New responsibilities for financial institutions and telcos
Financial institutions and telcos have separate responsibilities under the SRF, with a significant burden falling on the former. Among other things, financial institutions are required to implement a 12-hour restriction or “cooling-off” period on any “high-risk activities” after an account activates a digital security token, which is a digital authenticator used alongside a password to sign into online banking and perform actions such as wire transfers.
In addition, banks must implement real-time notifications to consumers any time a token relating to their account is activated, as well as for logins on new devices and outgoing transactions. They’re also required to provide customers with access to a so-called “kill switch”, which can be used at any time to immediately block access to their accounts and halt any transactions relating to it.
Finally, the SRF also calls for financial institutions to introduce real-time monitoring systems to detect rapid unauthorized transactions. Such systems would be able to detect if an account is being drained by a scammer, allowing the institution to block the transaction until it can reach the customer in question.
Meanwhile, telecommunications operators are compelled to meet a very different set of obligations under the SRF. In particular, they’re required to implement sender ID authentication technologies that will only allow connections with authorized aggregators for SMS message delivery.
Should an SMS message be sent from an unauthorized Sender ID, telcos are required to put tools in place to be able to block those messages and prevent them from being sent to the intended recipient. This is a key step that aims to prevent scammers from using SMS messages to get past multi-factor authentication safeguards and send malicious links to consumers.
Lastly, telcos must also deploy anti-scam filters that can scan SMS messages for any malicious URLs by comparing them to a database of suspected phishing websites.
A model for shared accountability
The SRF uses a “waterfall” model to determine accountability, which essentially means that any entity that fails to meet its obligations will be held responsible for financial losses that occur due to phishing attacks. The regulation doesn’t impose any fines for non-compliance, but entities that don’t meet the new requirements will be compelled to compensate consumers who suffer a loss.
Of course, non-compliance with the SRF also carries the risk of damaging the reputation of financial institutions and telcos that fail to meet their obligations.
Under the SRF, financial institutions take the brunt of the responsibility. If they fail to meet the requirements of the SRF, such as by failing to provide real-time alerts to consumers, they will be held liable for any losses.
If the banks are able to show they have fulfilled their duties, but the telco fails to meet its obligations, then the telco will bear responsibility and be required to pay compensation to any victims.
Consumers will still be liable for their losses if it’s found that both the financial institution and the telco complied with all obligations and performed the required tasks. In such cases, no payouts will be required.
Taking steps to ensure compliance
Given the need to actively monitor and detect phishing scams, companies can turn to third-party scam detection tools that bundle real-time impersonation and phishing detection capabilities to prevent scams before they unfold.
Memcyco, for example, defends against website impersonation attacks by guarding companies’ users that visit impersonating phishing websites, keeping their data safe by scrambling it with marked, decoy data, and alerting users in real time to not provide their sensitive information. By constantly monitoring company websites for impersonation attempts, real-time tools can help keep companies compliant with the SRF by mitigating scams before they cause damage.
Another useful tool for financial institutions and telcos is Feedzai, which offers machine learning-powered tools that aim to identify and block fraudulent transactions in real time. Its platform is able to check on the legitimacy of any transaction in three milliseconds, using AI algorithms to identify any red flags that might indicate suspicious activity. As an AI-powered system, it “learns” over time as it scans more transactions, gradually increasing its effectiveness.
Final thoughts
While the SRF introduces significant new responsibilities for financial institutions and telcos, it’s widely viewed as a necessary tool to put a stop to the alarming rise in phishing attacks.
Organizations in Singapore may face challenges in meeting their obligations under the SRF, but at the same time, the SRF provides them with an opportunity to strengthen their anti-fraud operations and foster greater trust among their users.
TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
How AI agents will be instrumental in fintech innovations in Southeast Asia