New anti-scam measures are good but standards needed instead of “best effort” from banks

Cybersecurity

0

A slew of new measures are coming into play to keep out scammers as lawmakers in Singapore this week looked to soothe public concerns over the safety of digital banking services in the country.

For starters, banks here will review the use of SMSes for one-time passwords (OTPs) and shift faster to more secure mobile apps, Monetary Authority of Singapore (MAS) deputy chairman Lawrence Wong told Parliament on Tuesday.

Major retail banks in Singapore will also be told to register their alphanumeric IDs on an SMS protection registry, which will help guard against scam SMSes, according to Josephine Teo, Minister for Communications and Information.

As if on cue, OCBC Bank today also rolled out a “kill switch” that lets customers freeze an account if they suspect they are being scammed.

Many victims of the OCBC phishing scam in December were put on hold when they tried to get through to the bank as money was being transferred out by scammers. So, a kill switch is a good measure, if a reactive one.

Indeed, the changes that are being made now are important, even if they have only come about after S$13.7 million were stolen in the high-profile scam, which caused a number of the 790 victims to lose their life savings.

What’s needed for the long term, however, are not just piecemeal or ad hoc changes. Instead, standards for things like anti-fraud measures and risk management need to be specified for banks, so they share the digital risks with the customers they serve.

Of the many questions raised by Members of Parliament, Foo Mee Har asked a great one – whether the central bank would impose minimum standards on banks’ fraud surveillance systems.

Wong, who is also Finance Minister, replied that the monetary authorities do not prescribe specific controls but set out broad expectations for banks.

If these are not met, then the banks face penalties, he added. Plus, if financial institutions fall short of responsibilities, they will have to bear their share of losses, The Straits Times reported.

One question for such an arrangement is whether these “broad expectations” can be open to interpretation.

While banks can say that their fraud detection capabilities are boosted by artificial intelligence (AI) and other newfangled technologies, there does not seem to be a required measurement of how effective these are.

Does having such a measure in place, even if it’s done based on a “best effort” basis, mean that a bank can say it’s done its part and isn’t liable for a customer’s losses from a scam?

To be sure, technologies change all the time and certainly, scam tactics evolve against these defences as well. Casting everything in stone might make you seem outdated pretty fast.

That said, there are detailed technology risk management guidelines that the Monetary Authority of Singapore (MAS) clearly puts out regularly to financial institutions here.

These include advisories to use two-factor authentication (2FA) to challenge a user if a transaction is made, plus the need to disclose any significant downtime due to cybersecurity breaches.

However, as pointed out by experts, these recommendations are just that – recommendations – and they don’t carry legal weight when it comes to determining who’s liable for a victim’s loss.

Should these best practices be made mandatory? After all, these are important guidelines that should be followed, not just taken as passing advice and executed with the minimum of effort.

Compare this to how the Infocomm Media Development Authority regulates telecom operators. It sets out clear quality of service standards that telcos have to meet or face penalties ranging from S$5,000 to S$50,000 for each offence, depending on severity.

Clear standards mean that those in the sector have nowhere to hide if they are not up to scratch. Plus, they also make the regulator’s job clearer and simpler – penalties are not meted out in an ad hoc manner but consistent with historical precedents.

Wong has said a framework is in the works to spell out clearly the responsibilities for financial institutions and customers, so the share of losses in a scam will be determined by how much each party has fallen short of these responsibilities.

For this to be work, however, these responsibilities cannot be general statements about a duty of care – they have to be detailed on how much a bank has to do, for example, to get its anti-fraud systems in place.

Clear examples or cases should be made to explain if a bank should be liable if, say, its SMS OTPs are diverted by hackers or stolen.

Or if its anti-fraud measures do not detect an obviously suspicious transaction that a human operator at a branch would have reasonably identified.

Why be so prescriptive? Well, you don’t want to force a court to interpret and analyse whether a bank has taken the right technological measures if one day such disputes between a consumer and a bank end up in court.

That would certainly not be in the interests of consumers, who typically do not have the money to fight the legal muscle that banks can summon.

How much will you pay lawyers to get back your S$100,000, for example? And do you even have money left after a scam?

This would be a David versus Goliath match, as lawyers would say, and David does not win a slugfest dragged out over years.

Thus, it is important that government regulators spelt things out clearly, so there is little doubt how the responsibilities are shared.

They are the experts, after all, who are tuned in to the current risks, and they can continually revise this framework to reflect the changing roles both banks and consumers should play.

For consumers, this framework will also make clear what risks they undertake when they use an online banking service.

They certainly can’t expect a bank to pay them their entire losses every time, as OCBC did this time round for the victims after facing public pressure for weeks.

If the risks far outweigh the convenience, it might be better to carry out fewer online transactions and rely less on the digital services that banks push out. Yes, more friction, but less risk.