Introduction
Mr Speaker, financial scams have become a major issue affecting all Singaporeans. According to the Police’s Annual Statistics for 2022, reported cases of scam and cybercrime increased by 25% year-on-year, totalling nearly 33,700 cases or 92 reports per day.[1] Many more may have gone unreported. Criminals are also becoming increasingly sophisticated, and even more technologically-savvy young adults are falling prey to these scams.[2]
On the human level, the suffering caused by such crimes is devastating. As MPs, we see too many residents who have lost large sums, in the hundreds of thousands of dollars. In most cases, lost monies are unlikely to be recovered. The losses suffered by each victim are not just measured in monetary terms i.e. how much was lost; but also measured by the impact of that loss on the individual or the family: on persons with serious health issues; on retirees; on those with mouths to feed; on the vulnerable.
When it comes to scams, the government, and in particular the Monetary Authority of Singapore (MAS), has consistently said that it expects banks to treat its customers fairly. But what exactly does the MAS expect of banks, and how does it exercise its supervisory power? For the customers, what recourse or support does the government provide to them? That is the focus of my motion today.
In a Straits Times opinion piece last Thursday (14 September 2023), Technology Editor Irene Tham opined that in order to fight scams, we may have to ditch some practices that make transactions easy.[3] She pointed out that, among others, banks needed to start accepting more responsibility; consumers, too, may have to put up with some inconvenience to keep online dealings secure. In my view, the government, as regulator, also needs to step up.
Before I proceed further, it is only fair to acknowledge the efforts by multiple agencies to address the scourge of scams. Among these efforts, the most visible are the scaled up public education and the setting up of the Anti-Scam Command and Anti-Scam Centre with collaboration between law enforcement and banks. I have also come across cases where banks managed to contact customers quickly and were able to stop a transaction before it was completed. But such success is, I believe, relatively rare.
Update on Loss Sharing Consultation Paper
On the specific question of who should bear the loss of scams, we understand from a Parliamentary answer in May, that the MAS intended to issue a public consultation on a framework for the equitable sharing of losses, in the third quarter of this year.[4] This was the latest update to the House, after pushing back the publication date for more than a year, citing the “complexity of the issues”.[5] No doubt, one such issue is likely the wide typology of scam victims, from those who were tricked by half-baked schemes, to the tech-savvy who inadvertently loaded malware into their phones. That said, the first clarification I would like to seek is: Is this timeframe for releasing the consultation paper by Q3 of this year, that is by this month or two weeks from now, still on track? If it is not, then what is causing the delay, and by when can the paper be released?
Inadequacy of a “Loss-Sharing Framework”
Sir, while the draft framework has not yet been published, the MAS had previously indicated that bank customers have a responsibility to take necessary precautions and should be expected to bear the proportion of the loss depending on “whether and how the party has fallen short of its responsibilities”.[6]
This is inadequate, and unjust, for three reasons:
First and fundamentally, consumers are not sufficiently equipped to combat scams. Fraudsters have become increasingly sophisticated and can now take control of a customer’s phone and obtain their bank login details through the clicking of a malicious link.[7] Even the most technologically savvy person could easily make this mistake and, within a day, have their life savings wiped out. While education and outreach efforts may go some way to mitigating this, it will always be playing “catch-up” with these organised criminals. With their increasing sophistry, targeting prey through social engineering, does the targetted person stand a chance?
Second, deciding in each case what is “equitable” will take time, and may be irrelevant to the more vulnerable in our society. According to the Financial Industry Disputes Resolution Centre, or FIDREC, which oversees many such disputes,[8] most cases are resolved within 6 months.[9] For a family whose life savings have been wiped out, this would be an inordinate and stressful delay. Further, forcing certain vulnerable groups (such as the elderly) to confront a big bank would be far from ideal. On a practical level, it would be difficult for them to gather and present evidence to prove that they have taken the “necessary precautions” as will be required by the MAS.
Lastly, as to who should lead in combating scams, banks are best positioned and the best resourced to do so. Therefore, banks should take on an outsized role in preventing them. Banks are able to monitor transactions, block suspicious payment flows and keep abreast of the latest technological developments. Such endeavours are beyond the remit of most bank customers.
Having emphasised why banks should take the lead in combating scams, I shall move on to three policy suggestions the government should consider. The first suggestion looks to how some other jurisdictions are protecting consumers. The second deals with some additional safeguards that the government should require of banks. And thirdly, I will argue why the government should not take a hands-approach when banks enter settlement agreements with affected customers.
Policy Suggestion 1: What Some Other Jurisdictions Are Doing to Protect Consumers
Mr Speaker, I urge the Government to consider the solution used in the United Kingdom[10]. From next year, banks in the UK will be required by law to fully reimburse scam victims. This will apply except in cases where the customer was fraudulent or grossly negligent, or the transaction involved cryptocurrency or international payments.[11] The mandatory reimbursement would cover payments through their Faster Payments platform, in situations we are familiar with, such as customers being tricked into transferring money, customers clicking on fake advertisements on social media, customers who were phished or hacked despite precautions, and customers who were groomed over time such as love scams.
The solution for such mandatory reimbursement is simpler and quicker. It will generally not require a time-consuming and resource intensive adjudication process for each case.
The UK Payments Regulator has explained how this would work. It would be limited only to certain types of domestic payments, with both the sending and receiving payment providers each sharing half of the reimbursement. These providers would have to do so within five business days.[12] It is noteworthy that the UK is a major financial centre and is prepared to take this tough stance against banks.
What about other jurisdictions? Australia is also reportedly considering adopting similar measures[13]. Meanwhile the European Commission too, has moved on this. In July this year, the EC proposed granting a “refund” to victims of authorised push payment fraud in certain circumstances, as part of revisions to the EU payments directive.[14]
I believe that this solution can and should be implemented in Singapore. It could cover all transfers between banks in Singapore via the FAST and PayNow systems. Like the UK system, it could be scoped to protect customers who are consumers, small business and charities. This would give Singaporeans the confidence to transact using these methods without fear that their savings will be unknowingly siphoned off. It would also ensure that victims of these scams would be compensated in a timely manner without having to undergo a complex adjudication process.
While some may argue that this would be unfair to the banks, I disagree. As I mentioned earlier, banks are best placed to identify and detect suspicious transactions, such as when a customer’s bank account is emptied over a short time, transfer limits are quickly changed and new payees are added. A cost-benefit analysis by the UK Payment Systems Regulator has also shown that the Reimbursement Model would incentivise payment service providers to improve the detection and prevention of fraud. This finding seems to resonate with banks who have been reimbursing customers who have been scammed. According to a senior official of UK bank TSB, having to reimburse customers for online fraud has incentivised it to be more proactive in detecting and preventing scams from the outset, resulting in less fraud. To state the obvious, prevention is preferable to reimbursement, as it stops the problem at its root. As more jurisdictions adopt such measures, international banks would also not balk at these requirements, or see Singapore as an outlier internationally if it adopted similar measures.
I also wish to address the concern about individual responsibility. While the MAS did note that bank customers “have the responsibility to take necessary precautions”, it cautioned that compensation paid should “not weaken the incentive for all to be vigilant”.[15] The Reimbursement Model still retains an element of individual responsibility as there will be no reimbursement where a customer is grossly negligent. However, the point remains that individual responsibility alone, is insufficient to combat these increasingly sophisticated and malicious scams.
Mr Speaker, I also urge the Government to consider ensuring that the Loss Sharing Framework applies retrospectively. While there is a general presumption that laws should not apply retrospectively, this is a specific instance where it should. The Court of Appeal explained in the case of ABU v Comptroller of Income Tax[16] that retrospective legislation is undesirable because it imposes “penalties or other disadvantages without fair warning” and “undermines expectations”. However, I would argue that this would not apply here, given that banks have been put on notice since MAS informed the banks of a desire to implement a loss sharing framework in February 2022 (1.5 years ago). Banks have also been consulted as part of the process as early as 2021 (as part of the Payments Council).[17] Given the delay in the publication of this framework, many scam victims have been left without recourse under the Loss Sharing Framework by no fault of their own. Accordingly, I urge the Government to ensure that these victims will be allowed to have their claims adjudicated fairly under the Framework.
Policy Suggestion 2: Additional Safeguards for Bank Customers
Mr Speaker, a further measure that can help us fight scams is the reintroduction of physical tokens as the default measure for two-factor authentication (“2FA”). Today, most banks only offer these on request and have a digital token or SMS verification as the default option for 2FA. This means that the mobile phone becomes a single source of vulnerability; should the phone be infected with malware, 2FA does not, in effect, act as a second degree of authentication. As pointed out by Ms Irene Tham in her article last week, experts believe that it is time to resurrect hardware tokens, which are standalone devices apart from the phone. MAS should advise banks to promote the physical tokens as the default option.
I also ask the Government to consider implementing additional verification checks where a customer transfers money to bank accounts of entities associated with cryptocurrencies (or digital payment tokens, “DPTs”). To be fair, the MAS has recognised the risks involved with DPTs[18] and has sought to regulate consumer access to DPT[19]. I urge them to further consider regulating transfers to bank accounts associated with DPT services providers. DPTs carry a higher risk of dissipation and are more difficult to trace, especially when transferred to wallets around the globe. Imposing mandatory delays, transfer limits and additional authentication could go a long way toward preventing customer monies from being siphoned off by fraudsters.
Vulnerable customers are another category to watch out for. Added verification steps and longer mandatory waiting periods should also be implemented where the transaction involves a vulnerable client, such as an elderly or mentally impaired person. Banks should adopt closer scrutiny over transactions from such accounts, mandating lower transfer limits and longer waiting periods by default.
I acknowledge that the measures I have suggested may cause inconvenience to some customers. For all of the measures, banks can provide customers the option to opt out of these safeguards, provided they are sufficiently aware of the risks.
Policy Suggestion 3: Safeguarding Customers from Unfair Settlements
Mr Speaker, some of us have received feedback from scam victims about how their banks try to settle their complaints. First, the sums offered as goodwill payments may be paltry in relation to the loss. Moreover, such offers are usually tied to non-disclosure agreements (NDAs) which are onerous and one-sided, requiring absolute secrecy from the customer and requiring the customer to forego all rights to recover further sums. The one-sidedness of such arrangements was also alluded to by Member Yeo Wan Ling in a Parliamentary question filed in November 2022.[20]
The MAS has made clear that it did not intend to regulate settlements. However, the unequal bargaining power between the banks and consumers is obvious. Will the MAS stand by if desperate customers are being bulldozed and bullied? A hands-off approach by the MAS is unacceptable.
On this issue, please let me elaborate in Chinese.
当银行客户向银行投诉关于他们的诈骗损失金额,有些银行通过给予客户小数额赔偿解决问题。此外,这些赔偿一般需要客户签署保密协议。这意味着客户必须放弃之后可能寻回的款项。这个情况严重说明银行和消费者之间存在显著的权力不平衡。就这个问题而言,政府不应该置之不理,而应该制定相应的准则让银行遵循。国会摘要 议员
While I agree that the MAS cannot micromanage the banks, can it do more than issue a motherhood statement that MAS expects the banks to treat their customers fairly? At present, banks in Singapore have published a voluntary Code of Consumer Banking Practice (the “Code”).[21] Under paragraph 3(b) of the Code, “fairness” is a key principle in resolving a dispute between the consumer and the bank. However, as a voluntary code, it lacks any regulatory bite. I urge the MAS to consider adopting regulatory guidelines to enshrine fairness as a key principle in the settlement of consumer disputes, especially in relation to scams. Some possible guidelines include banning the use of onerous practices such as blanket NDAs which require customers to give up legitimate claims to recover monies. Customers should also be given full disclosure about their rights and forms of recourse against the bank. Perhaps MAS should consider prescribing clauses in agreements that do not prejudice customers.
In some cases where customers have complained to the MAS about the settlements being unfair, these customers have been asked to approach FIDREC instead for assistance. So let me say something about the FIDREC option. There is currently a monetary limit of $100,000 per claim for FIDREC adjudication. Such a limit discourages those who have lost more from going to FIDREC. Should this monetary limit not be raised? Since the daily transfer limit for most customers for PayNow is $200,000 per day, would this limit not be more relevant to FIDREC today? Such a revision to FIDREC’s monetary limit would make FIDREC a more serious option for larger claims.
Conclusion
Mr Speaker, it is time for the Government to act swiftly and decisively on scam losses. Of paramount importance is ensuring that Singaporeans have confidence in their banking system and ensuring that those who have suffered a loss are fairly compensated. The draft framework for loss sharing is overdue. I have also highlighted why requiring customers to bear losses when they were not grossly negligent would not be fair. The Government should consider developments in other jurisdictions such as the UK to ensure that the banks, bear the cost of reimbursing victims, as they are best placed to identify and prevent such scams. Other measures, such as a return to physical tokens and ringfencing funds from high-risk activities like cryptocurrencies, should also be considered. Lastly, the government should provide a framework to protect customers from unfair settlements, and look at raising the monetary limit of FIDREC.
I urge the Government to do its part to ensure that we do right by bank customers.
Sources
[1] Singapore Police Force, Annual Scams and Cybercrime Brief 2022 (8 February 2023), available at: https://www.police.gov.sg/-/media/Spf/PNR/2023/Feb/Police-News-Release—Annual-Scams-and-Cybercrime-Brief-2022.ashx#:~:text=Scams%20and%20cybercrime%20continue%20to,from%2023%2C933%20cases%20in%202021.
[2] The Straits Times, Scam victims in S’pore lost $660.7m in 2022; more than half of them were young adults (9 February 2023), available at: https://www.straitstimes.com/singapore/scam-victims-in-s-pore-lost-6607-million-in-2022-almost-13-billion-in-past-two-years.
[3] The Straits Times, Want to fight scams? We may have to ditch some practices that make transactions easy (14 September 2023), available at: https://www.straitstimes.com/opinion/want-to-fight-scams-we-may-have-to-ditch-some-practices-that-make-transactions-easy.
[4] MAS, Written reply to Parliamentary Question on update on the progress of the framework for equitable sharing of losses (8 May 2023), available at: https://www.mas.gov.sg/news/parliamentary-replies/2023/written-reply-to-parliamentary-question-on-the-framework-for-equitable-sharing-of-losses.
[5] The Straits Times, Fair sharing of scam losses: Draft framework delayed due to ‘complexity of issues’, says MAS (18 July 2022), available at: https://www.straitstimes.com/business/banking/draft-framework-for-fair-sharing-of-scam-losses-delayed-due-to-complexity-of-issues-involved-mas.
[6] MAS, A Framework for Equitable Sharing of Losses Arising from Scams (4 February 2022), available at: https://www.mas.gov.sg/news/media-releases/2022/a-framework-for-equitable-sharing-of-losses-arising-from-scams (“MAS Feb 2022 Media Release”).
[7] STOMP, At least 27 victims have lost $325,000 to mooncake scams in August 2023 (8 September 2023), available at: https://stomp.straitstimes.com/singapore-seen/at-least-27-victims-have-lost-325000-to-mooncake-scams-in-august-2023
[8] The Straits Times, Nearly a third of financial claims involve fraud and scams: Dispute resolution body (24 November 2022), available at: https://www.straitstimes.com/business/nearly-a-third-of-financial-claims-involve-fraud-and-scams-fidrec.
[9] Fidrec, FAQs, Response to Question 13, available at: https://www.fidrec.com.sg/knowledgebase/article/KA-01013.
[10] Explanatory Notes to the Financial Services and Markets Bill, Clause 68, Authority of the House of Lords and House of Commons (8 December 2022), available at: https://bills.parliament.uk/publications/49063/documents/2625.
[11] Policy Statement – Fighting authorised push payment fraud: a new reimbursement requirement – Response to September 2022 consultation (CP22/4), Payment Systems Regulator (June 2023), available at: https://www.psr.org.uk/media/rxtlt2k4/ps23-3-app-fraud-reimbursement-policy-statement-june-2023.pdf (“PSR September Consultation”).
[12] PSR September Consultation, page 6.
[13] ABC News, While Australian banks refuse most scam victims refunds, the UK is making them mandatory (11 July 2023), available at: https://www.abc.net.au/news/2023-07-11/uk-laws-force-to-banks-reimburse-scam-victims-unless-negligent/102563000.
[14] European Commission, Payment services: revised rules to improve consumer protection and competition in electronic payments (28 July 2023), available at: https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3544.
[15] MAS Feb 2022 Media Release, para 4.
[16][2015] SGCA 4 at [58], citing Ruth Sullivan, Driedger on the Construction of Statutes (Butterworths, 3rd Ed, 1994) at p.513.
[17] MAS Feb 2022 Media Release, paras 2-3.
[18] Financial Times, Letter: Singapore will have one of the strictest crypto regimes: MAS (1 September 2023), available at: https://www.ft.com/content/8c89348f-76f6-47bc-a207-6313602a0808.
[19] MAS, MAS Publishes Investor Protection Measures for Digital Payment Token Services (3 July 2023), available at: https://www.mas.gov.sg/news/media-releases/2023/mas-publishes-investor-protection-measures-for-digital-payment-token-services.
[20] MAS, Reply to Parliamentary Question on banks making offers to scam victims (30 November 2022), available at: https://www.mas.gov.sg/news/parliamentary-replies/2022/reply-to-parliamentary-question-on-banks-final-settlement-for-scam-victims.
[21] Association of Banks in Singapore, Code of Consumer Banking Practice (November 2016), available at: https://abs.org.sg/docs/library/code-of-consumer-banking-practice.pdf.