Singapore has introduced a groundbreaking Shared Responsibility Framework (SRF) that requires banks and telecommunications companies to actively prevent phishing scams or face financial consequences.
The framework establishes clear obligations for both financial institutions and telecom operators. Banks must now implement several protective measures, including a mandatory 12-hour cooling-off period for high-risk activities after digital security token activation. They are required to send real-time alerts for new device logins and transactions, provide customers with emergency "kill switches" to block account access, and deploy systems to detect unauthorized rapid transactions.
Telecom companies face their own set of requirements under the SRF. They must authenticate sender IDs and block unauthorized SMS messages. Additionally, telcos need to implement filtering systems that scan messages for malicious URLs by comparing them against databases of known phishing websites.
The framework uses a "waterfall" approach to determine accountability. If banks fail to meet their obligations and customers lose money to phishing attacks, the financial institutions become liable for compensation. Should banks fulfill their duties but telcos fall short of requirements, telecommunications companies must compensate victims. However, if both parties comply with all obligations, customers remain responsible for their losses.
While the framework does not impose direct fines, non-compliant organizations risk both financial liability and reputational damage. The SRF represents Singapore's response to increasingly sophisticated phishing attacks that have caused substantial losses globally.
Organizations can leverage various technological solutions to meet these new requirements, including AI-powered fraud detection systems and real-time monitoring tools that can identify and block suspicious activities within milliseconds.
The SRF marks a shift away from placing sole responsibility on scam victims, instead creating shared accountability across the financial and telecommunications sectors to combat the rising threat of phishing attacks.