Those of us who have traveled or lived in the United States may be aware that if we open our bank or credit card statement and notice an unrecognized transaction, we would simply call the financial institution, report the incident, and in most instances, the customer service officer would eventually remove the errant transaction, often after some investigation.
I used to view this as an anomalous luxury, the sort of sociocultural exceptionalism that only a global financial superpower like the United States would be able to conjure it. But I now understand that—much like the ability to return goods, no questions asked, within a stipulated timeframe, or the ability to access long-term fixed-term mortgages—that these features of economic life result from regulatory and legislative choices that the U.S. has chosen. Indeed, many other OECD economies have weaved together laws and regulations that afford much more financial protection for the average consumer that we have been able to muster.
Mr Speaker, the Financial Services and Markets Bill of 2022 brings together a host of hitherto disparate financial sector requirements that fall under the Monetary Authority of Singapore (MAS), into a single piece of legislation. Such consolidation is welcome, of course, not least because it renders transparent the full scope of rules and regulations that MAS oversees.
The omnibus bill is wide-ranging, and touches on matters as diverse as anti-money laundering (AML) and combating financing of terrorism (CFT) provisions, requirements for technology risk management, and statutory protection for financial dispute resolution agents. While I support the Bill, I will focus my remarks on Part 5, which have to do with technology risk management. I will do so through the lens of the consumer, and in particular, consumer protection.
Banking scams are costly and painful
Banking-related fraud is pervasive in Singapore. In 2020, there were 893 reported cases of banking-related phishing activities, costing victims at least $3.3 million. And in the first half of 2021—excluding the $13.7 million loss from the OCBC episode—already 535 cases were reported, tallying at least $2.1 million. The number of scam cases have steadily risen, and this trend is unlikely to retreat.
I am certain that many of us have had residents come to us for help with banking scams. For the recent OCBC phishing scam alone, I had 2 different residents reach out to me. The scams wiped out their life savings. And I have felt helpless—perhaps as helpless as they did—that I could not offer much more, than to reach out to the banking institutions to share their side of the story, reassure them that the police were working on solving their case, and offer to follow up with any agencies that they felt were not being responsive. But I could not tell them that Parliament was working to better protect them, and others like them, with the force of law.
As online services become increasingly the norm in Singapore, the opportunities and incentives for bad actors increase. While banking scams are impossible to completely eradiate, we can better manage the acceptable level of risk. But our legislative efforts have largely been cautionary—encouraging individuals to exercise the appropriate cyber-hygiene (as if we needed another type of hygiene situation to worry about)—or reactive, when the police force is mostly left with belated attempts to track down and apprehend perpetrators, many of whom will either never be found, or will fall beyond the reach of our current laws.
Industry self-regulation has been ineffectual
The banking sector, to date, has appealed to the viability of self-regulation. Indeed, on paper, some of these additional protections may have helped prevent some instances of fraud, had they been operative. But many were not.
As I shared with this House in February, my Sengkang colleague, Louis Chua, and I conducted a simple experiment where we tested PayNow safeguards by transferring sums in excess of $1,000, the maximum daily transfer limit allowed without requiring token authentication. As I shared then, we were able to do so without any two-factor authentication, beyond the PIN. We have since repeated the experiment—all good science must be replicable!—and I can confirm that we were still able to breach the stated limits.
Mr Speaker, Part 9 of the Bill exhaustively deals with many aspects of digital token service providers. However, even the most finely-tuned stipulations will be of limited efficacy, if the tokens themselves are not deployed as intended.
Moreover, lapses of this nature are not isolated. Another customer shared about how her mother’s credit card limit was breached by almost two times, without any alert or the credit line being frozen. I have had residents share with me about how, after they had inadvertently released their banking information to a scammer, they realized their mistake and—within the following hour—called the bank to request forfeiting of any further transactions. But the long hold times and (ironically) security verification procedures meant that the fraudulent transfers took place in the interim.
As experts in the financial world, banks and their staff have a duty of care to their customers. They hold far greater knowledge of the inner workings of illegal modi operandi—money mules, laundering, impersonation, scam rings—than the average customer. Moreover, they have access to the customer’s banking history, which can be used to detect anomalies or deviations in behavior. Scams and phishing operations have grown so sophisticated that the average layperson—not to mention those who are not as comfortable with technology—cannot always be reasonably expected to routinely identify and avoid them.
To be fair, such due diligence is already exercised in limited form today, which means that it is clearly doable. Software-led detection of anomalous transactions has been employed by American credit card companies for decades. More recent advances in big data and machine learning have refined such techniques even further. These have been deployed to help thwart scam attempts here.
But absent stricter legislative consequences that would spread the costs of breaches and establish a minimum standard of care for retail banking customers, the effects of the inevitable lapses will continue to mainly be borne by the end-user. This still leaves enormous leeway for how banks currently choose to handle scam cases, with very limited recourse for the consumer. As a nation, we have never shied away from complementing regulation with legislation. There is little reason for us to revise this now.
MAS supervision has largely been reactive
In principle, the government already has the tools to enforce greater discipline on banks to ensure that consumers are better protected. But there are reasons why the banking regulator, the Monetary Authority of Singapore (MAS), has been more reactive than proactive.
First, banking regulation is but one of many, many hats that the MAS wears. The MAS is, simultaneously, the lender of last resort, banker to the government, guardian of inflation, executor of exchange rate policy, promoter of financial development, overseer of financial stability, and financial sector regulator. Setting aside how such a multiplicity of objectives may occasionally come into conflict, the many objectives make it difficult for a single regulator to monitor and ensure coherence between them.
Second, in its efforts to foster greater financial sector development, the MAS may be more comfortable with allowing banks to experiment with innovations. This is not an issue, on its face, but the risk is that the costs of such innovations end up being disproportionately borne by the end user. Admittedly, supporting banking innovation and entrepreneurship requires some degree of regulatory forbearance, but by the same token, this may in turn foster an aversion toward excessive or overzealous enforcement.
Third, the proof of the pudding is in the eating. MAS has not always appeared to be aware of the blind spots, or if it has, it has been reticent to act quickly and decisively. In the recent OCBC fiasco, MAS only announced possible supervisory actions against the bank, well after the fact, and in the wake of a public outcry over the matter. And despite well-known security vulnerabilities associated with SMS technology, MAS had continued to permit its use for sensitive functions such as OTPs or requesting information from customers, and has only advocated the removal of clickable links thus far.
An independent consumer financial protection arm within MAS
Even if we wish for MAS to retain overall oversight responsibility over the financial sector—as implied by the consolidations weaved into this Bill—it is still reasonable to have an independent consumer financial protection arm, operating within the broader ambit of MAS.
The financial protection arm would receive complaints from the public on consumer finance, such as deposits, mortgages, credit cards, an auto and education loans. It would also examine compliance with regulation, from the standpoint of end-user. In this manner, we will have distinct departments addressing concerns raised by the consumer and producer (which is, in this case, the banking sector). A Chinese Wall could then shield this body from the various prudential supervision departments.
In the past, there was a Market and Business Conduct department, which ostensibly served the “interests of depositors, investors, and policyholders”. This may have since been enfolded into the Corporate Finance and Consumer department. In either case, however, these appear to work more with market professionals and possibly sophisticated investors, rather than the retail consumer, nor does the department appear to be empowered to advocate on behalf of the consumer.
The importance of consumer financial protection laws
But we can go beyond regulation—even the beefed up kind I have suggested—to introduce outright consumer financial protection legislation. This can be independent of existing regulatory and consumer education efforts.
Some see regulation and legislation as essentially two sides of the same coin. At risk of seeming pedantic, this is a distinction with a difference. Regulation is a function of government agencies and the domain of bureaucrats, while legislation is debated, deliberated, and realized in this House.
Regulation has one clear advantage over legislation: because it falls under the purview of a governmental agency—in this case, the MAS—and does not have to undergo the bills process, it can be more nimble than full-bore legislation. By the same token, however, codifying essential principles into legislation enshrines the doctrines that we wish to remain inerrant, and allows them to remain invariant to the vagaries of implementation. Just as important, laws embed the democratic process, in a manner that regulatory machinations never can.
Many other jurisdictions have specific consumer protection laws. In the United States, the Fair Credit Billing Act was enacted as far back as 1974, and requires prompt written acknowledgement of billing disputes and the investigation of billing errors by creditors. In 2010, the Consumer Financial Protection Act was passed, establishing an independent agency within the Federal Reserve to regulate the offering and provision of consumer financial products. The United Kingdom Consumer Credit Act provides a number of comparable protections, and in the European Union, the Revised Directive on Payment Services encapsulates a number of regulations governing financial service providers, including requiring strong customer authentication for the majority of electronic payments.
Implementing legislation for stronger consumer protection does not absolve individuals of their responsibility to practice good cyber hygiene. But, at the very least, it will shift the burden of defending against such unscrupulous behavior away from resting almost entirely on the shoulders of the household, and bring businesses—in particular banks—into the risk-sharing picture as well.
Back in February, MAS announced a framework for the equitable sharing of losses arising from scams. This is surely welcome, and will provide additional clarity on apportioning fraud-related losses. But the framework is far from comprehensive, and does not yet address aspects of consumer protection beyond scams. And just as we do not rely solely on mediation mechanisms—such as TADM and TAFEP—to fully govern our labor disputes, we can further support consumer rights in finance with appropriate legislation.
If the experience of the United States is any indication, passing a Consumer Financial Protection Law would likely lead to financial institutions taking much more care to detect and preemptively stamp out instances of phishing and fraud, since losses cannot be immediately foisted off to the customer. Financial institutions would also be more inclined to pursue unauthorized purchases with the merchant (and these merchants, in turn, would be more careful in accepting potentially fraudulent payments, else they lose their right to accept that mode of payment). Rudimentary small-claims insurance schemes would also emerge, with costs often absorbed by the financial institutions themselves.
Will this increase the cost of doing business? Of course. But the point is that the cost of policing e-commerce fraud and theft was always there; it was simply absorbed almost entirely by the consumer. Such a law would spread the risk among all actors in the economy: the buyer, the seller, and the financial intermediary. It is an idea whose time has come.
 Delamaire, L., H. Abdou & J. Pointon (2009), “Credit Card Fraud and Detection Techniques: A Review,” Bank and Bank Systems 4(2): 57–68.
 Begum, Y. (2021), “S$500,000 Scam Foiled By Police and Digital Asset Trading Firm,” CNA, Dec 17; Low, D. (2021), “Banks and Police Work to Thwart Scams Targeting Customers,” Straits Times, Aug 27.
 For example, the MAS role as financier to the government would generally favor keeping interest costs minimal; however, high rates of inflation may justify raising the policy rate to contain inflationary pressures. Similarly, its interest in ensuring financial stability may require temporarily relaxing strict microprudential regulation over lending standards, in order to limit bank failures during times of financial turmoil.
 In the debate on the Exchanges (Demutualization and Merger) (Amendment) Bill, the government noted that conflicts of interest between the two objectives should be limited, since direct pecuniary interests are not derived from either. This is true, but does not preclude indirect (and inadvertent) conflicts, even among a well-meaning regulator, as noted in the prior footnote. See Hansard (2022) 95(45): Jan 11.
 This much is recognized by the authorities. See MAS (2021), “SMS One-Time Passwords Diverted to Perform Fraudulent Card Payments,” Press Release, Sep 15; SPF (2021), “Police Advisory On Phishing Scam Involving SMS From Fake E-Commerce Platform,” Press Release, May 6. To be fair to the banks, a number have deployed soft tokens, authenticator apps, or biometrics for verification. These are generally regarded as the current best practice, but—perhaps because of ensuring accessibility, especially among the elderly and less technologically-savvy—there has been no move to ban the use of SMS. Ironically, however, these are the very populations that require protection from baking scams and financial fraud.
 US Code Tit. 15, Chap. 41.
 Public Law 111–203.
 Consumer Credit Act 2006, S.I. 2006/1508 (C. 52).
 PSD2, Directive (EU) 2015/2366.