The Monetary Authority of Singapore (MAS) has issued a set of guidelines aimed at protecting users of electronic payments from fraud, errors and security threats.
The guidelines apply to both users of e-payments and financial institutions (FI) - banks, insurance providers, firms with stored value facilities and other intermediaries - that provide these electronic services, reported the Straits Times.
The guidelines, to kick in by 31 January next year, aim to establish a common baseline protection offered by responsible FIs on a business as usual basis to individuals or sole proprietors from losses arising from isolated unauthorised transactions or erroneous transactions from the protected accounts of these account holders.
Guidelines for users
The account holders are expected to provide the responsible FI with contact details, monitor transaction notifications to spot suspicious activities early, and practise good security measures.
These measures include updating the device’s browser to the latest version available, patching operating systems with regular security updates, installing the latest anti-virus software and using strong passwords, such as a mixture of letters, numbers and symbols.
If there are unauthorised transactions, the user should report it to the responsible FI as soon as possible, cooperate with the FI on the affected account, and report the transaction to the police if the FI requests it to facilitate the claims investigation process.
Guidelines for FIs
On the FIs’ part, FIs should inform every user of user protection duties, and should provide transaction notifications to the users via SMS or email.
When it comes to transactions made by internet banking, any mobile phone application or device arranged by an FI for payment transactions, including a payment kiosk, a responsible FI should provide an onscreen opportunity for the user to confirm the payment transaction and recipient credentials before the responsible FI executes any authorised payment transaction.
The FI should also provide reporting channels for the purposes of reporting unauthorised or erroneous transactions and assess any claims made by the user of unauthorised transactions. During the claims resolution process, should the user request it, the FI would also be expected to provide the user with relevant information on all the unauthorised transactions which were initiated or executed from a protected account, including transaction dates, transaction timestamps and parties to the transaction.
The FI should complete investigations within 21 business days for straightforward cases and 45 business days for complex ones—such as those where any party to the unauthorised transaction is resident overseas or where there is insufficient information from the user. Once investigations are completed and should a user not be liable for any loss, the FI should credit his account.
Where the user does not agree with the responsible FI’s assessment of liability, or where the responsible FI finds that the claim falls outside of its scope of liability, the user and the responsible FI may proceed to commence other forms of dispute resolution, including mediation at the independent Financial Industry Disputes Resolution Centre Ltd (FIDReC) where the responsible FI is a FIDReC member.
Liability of losses arising from unauthorised transactions
The guidelines state that users would be liable for actual loss arising from an unauthorised transaction where their recklessness is the cause, with the loss capped at any applicable transaction limit or daily payment limit that the account holder and responsible FI have agreed to.
Should the FI be at fault, it is liable for the full amount and would also have to bear full liability even if third parties caused the incident, for transactions up to $1,000.
All other situations, including losses above $1,000 and attributed to third-party fault, will be assessed on a case-by-case basis by the financial institution.
Where a transaction is made in error, a user will need to inform the FI immediately, while the institution cannot debit the recipient's account without his consent. Simple cases will require the user's and recipient's financial institutions to make reasonable efforts to recover the erroneous sum within a week.
Scams would not be considered unauthorised or erroneous transactions, as the user was deceived by a scammer unrelated to financial institutions or merchants.
The guidelines, which were consulted on earlier this year before being introduced, encourage the wider adoption of e-payments by setting standards on the responsibilities of both groups, said the MAS. They are part of an e-payment road map set out by MAS in 2016 to modernise regulations on cashless transactions.