Protection from Scams Bill – 7th January 2025 – Speech by Gerald Giam (Aljunied)

Mr Speaker,

Scams are wreaking havoc on the lives and life savings of many Singaporeans. In just the first half of 2024, 26,587 scam cases were reported, with losses exceeding $385.6 million. Behind some of these numbers are residents of Aljunied GRC, a number of whom have sought my help to recover their hard-earned money. Sadly, in most cases I’ve seen, recovery has been minimal, as the funds have been transferred out of Singapore and the burden of preventing scams still rests heavily on the shoulders of end users.

The Protection from Scams Bill is an important step towards combating this scourge. However, it introduces a significant change to the legal relationship between banks and their customers. Traditionally, banks have acted as fiduciaries, with a singular duty of loyalty to their customers, including following specific instructions for financial transactions. This Bill, however, empowers the police to issue Restriction Orders to banks, enabling them to temporarily restrict an individual’s banking transactions if there is reasonable belief that the customer is about to transfer money to a scammer.

I believe that this is a justifiable shift given the grave risks posed by scams, including the potential for victims to lose their life savings. However, its effectiveness is contingent upon timely identification and intervention by the authorities, which may not be feasible in all cases. Many scams are executed within minutes — even seconds — leaving no time for third parties to intervene. This makes the Bill less effective in these increasingly common high-speed scenarios.

May I ask the Minister of State, based on the scam cases that came to the attention of the police over the past year, has the Ministry modelled how many Restriction Orders would have been issued if this Bill had already been in effect?

To better combat scams, we need more systemic safeguards that stop scams before they start, hold financial institutions (FIs), telcos, social media companies and messaging providers more accountable in preventing scams from taking place on their platforms, and compensate victims if they fail to put in place adequate measures.

Shared Responsibility Framework

Some safeguards are captured in the Shared Responsibility Framework (SRF), which took effect on 16 December 2024. However, the SRF focuses solely on phishing scams that lead to unauthorised transactions. It assigns a few specific duties to banks and telcos to mitigate such scams, and requires compensation for victims when these duties are not fulfilled.

While the SRF improves protections against phishing-related threats, it does not cover the full range of scams affecting consumers today. Many scams, such as investment scams or romance scams, rely on social engineering to deceive victims into authorising payments under false pretences. Unlike phishing scams, these involve victims being misled about the purpose of the transaction rather than unauthorised access. Addressing such scams requires tailored strategies and frameworks, which I will come back to later.

Conflict of Interest in Investigations

I am concerned about the SRF’s reliance on banks to conduct the initial investigation into scams, including assessing whether they have fulfilled their duties. This presents an inherent conflict of interest, as banks are both the investigator and an interested party, with a financial incentive to conclude that they met their obligations. This also creates a significant disadvantage for scam victims, who lack access to key evidence, such as system logs or fraud detection records, and often do not have the expertise to effectively challenge the banks’ findings.

Scenario Highlighting the Problem

Consider this scenario: A bank customer falls victim to a phishing scam where their funds are fraudulently transferred out of their account. The customer raises a claim under the SRF, asserting that the bank failed to meet its obligations, such as sending real-time notifications or flagging the suspicious transaction through its fraud detection systems. The bank conducts the initial investigation and concludes that it fulfilled all its duties under the SRF, including providing the required alerts and adhering to the cooling-off period. It informs the customer of its findings and denies liability for the losses.

The customer, lacking access to system logs or detailed evidence of the bank’s actions, is unable to independently verify whether these obligations were indeed fulfilled.

FIDReC and MAS’ Access to Evidence

Although the customer has the option to escalate the matter to FIDReC or MAS, these bodies may also face limitations in their ability to access critical evidence. If these bodies are called upon to adjudicate disputes or review banks’ investigations under the SRF, do they have direct access to the necessary evidence, such as system logs, fraud detection records, and notification timestamps? If these bodies rely solely on banks to supply this evidence, there is a risk that the information provided may be selective or incomplete, especially when the findings could impact the banks’ liability.

For oversight to be truly effective, these adjudicating bodies must have the authority and technical capability to directly access and verify evidence rather than depend on the banks’ representations. Without this, the impartiality and robustness of the review process may be compromised.

Proposal for Independent Investigative Body

To address these shortcomings, an independent investigative body should be established to handle scam-related cases pertaining to banks’ fulfilment of their SRF obligations. This body would examine evidence provided by the bank, the customer and any relevant third parties to ensure impartiality and transparency. Such a body would act as a neutral arbiter, removing the inherent conflict of interest in having banks investigate cases where they are an interested party.

Additionally, victims should be informed of their rights and available recourse options as part of the investigation outcome report. This includes clear guidance on how to escalate disputes to independent bodies such as FIDReC. Providing this information upfront will ensure victims are aware of their options and are not left without avenues for redress if they disagree with the findings of the investigation.

Enhanced Protections Against a Wider Range of Scams

I would like to make several more proposals for regulators to require platforms to put in place enhanced protections against a wider range of scams. These complement the proposals I put forward in my speech during the Second Reading debate of the Online Criminal Harms Bill on 5 July 2023.

Banks

Digital Wallets

A recurring scam that my residents have brought to my attention involves the misuse of digital wallets like Apple Pay and Google Pay. Scammers set up a digital wallet linked to the victim’s bank account. While multi-factor authentication (MFA) is typically required during setup, scammers exploit social engineering techniques to manipulate victims into unknowingly approving the setup. Once the wallet is linked, subsequent payments often bypass additional authentication, allowing scammers to rapidly deplete funds without further victim involvement.

This highlights several possible vulnerabilities in the current system. First, the reliance on MFA alone is insufficient when victims are tricked into authorising fraudulent setups. Second, once the digital wallet is authorised, there is a lack of effective monitoring to detect and flag suspicious transactions. Third, the absence of clear accountability between banks and digital wallet providers exacerbates the issue, leaving victims with little recourse.

To address this gap, banks must be required to work with digital wallet providers to deploy real-time fraud detection algorithms that monitor all digital wallet transactions for anomalies, including transactions that occur, after the initial digital wallet setup. These algorithms should integrate behavioural analysis, such as device changes, unusual transaction patterns or foreign IP addresses, to flag high-risk activities. This will enable proactive intervention to block unauthorised activities before funds are lost. Banks should be held liable for losses if they fail to meet these duties.

Know Your Payee

Financial institutions should be required by the regulator to enhance backend fraud detection by integrating account data, behavioural analysis and anomaly detection to identify high-risk payees—who are the possible scammers or their agents. This approach minimises reliance on customers’ judgement alone and strengthens fraud detection.

Centralised Scam Database

Many platforms, including social media, email and messaging services, as well as telcos and mobile handsets, already offer mechanisms to block and report suspected scams. However, these reports are often siloed, remaining on the user’s device or with the platform concerned. There is no centralised scam database to consolidate and share this information.

Currently, many scam reports only enter the scam database managed by the Singapore Police Force if the user installs the ScamShield app and submits the scam through it. This approach is insufficient to crowdsource the collective knowledge of a broader pool of users to identify and report scams as they emerge.

To address this, the scam database currently managed by the police should be allowed to receive real-time updates from banks, telcos, social media platforms and messaging providers based on user reports, while incorporating robust safeguards to protect privacy. These platforms should then use this shared data for monitoring and proactively blocking scams on their platforms.

Rating Relevant Entities

MAS and IMDA should assess and rate financial institutions, telcos, social media companies and messaging platforms on the robustness of their anti-scam measures and their implementation of the systemic safeguards mentioned earlier.

To promote accountability and incentivise improvements, these ratings should be clear, fair and standardised, with transparency to consumers. However, vulnerabilities identified during the assessment should not be publicly disclosed until the entities have had a reasonable opportunity to address them to ensure security is not compromised.

Conclusion

Mr Speaker, scams are an evolving threat. This Bill takes an important step forward with its focus on “emergency brakes” to mitigate harm in individual cases. However, its scope remains narrow. To effectively combat scams, we need more systemic safeguards that address root causes and build resilience across platforms.

These systemic safeguards include deploying real-time fraud detection for digital wallet transactions, enhancing Know Your Payee mechanisms to flag suspicious payees, and creating a centralised scam database accessible to banks, telcos and social media companies for real-time monitoring and blocking. Together, these measures will ensure more robust prevention, swift enforcement and shared responsibility in protecting Singaporeans from scams.

Sir, I support this Bill but urge the government to consider these proposals, and look forward to the Minister of State’s responses to them.