MAS proposes improvements to the E-Payments User Protection Guidelines to improve anti-scam controls and emphasise consumer vigilance and responsibility.

Insights

MAS Proposes Improvements to E-Payments User Protection Guidelines

Date
October 27, 2023
Author
OrionW

The Monetary Authority of Singapore (MAS) is consulting on proposed updates to the E-Payments User Protection Guidelines (EUPG) to improve anti-scam controls and emphasise consumer vigilance and responsibility in view of the rising incidence of digitally-enabled scams.

The EUPG applies to (a) financial institutions (Responsible FIs) that issue or operate protected accounts, which are essentially payment accounts of individuals (including sole proprietors) that can hold more than S$500 (or its equivalent foreign currency) and can be used for electronic payment transactions, and (b) users of protected accounts.

Key Proposed Changes

The Proposed EUPG sets out the following key enhancements:

  • Restrictions on sending clickable links and phone numbers: A Responsible FI must:
    • not send clickable links via email or SMS to a protected retail banking account holder unless (a) the link is only informational and does not require the account holder to perform a transaction or install an application and (b) the account holder is expecting the link; and
    • not send phone numbers via SMS to a protected account holder unless the latter is expecting it.
  • Real-time notifications: Real-time notifications must be sent to protected account holders when (a) their digital security token is activated; (b) a high-risk activity (e.g., adding of payees to the accountholder's payment profile, increasing transaction limits for outgoing payment transactions) is being performed or (c) an outgoing payment transaction in excess of the transaction notification threshold is being made.
  • Cooling-off period: A digital security token should be allowed to authenticate a high-risk activity only after 12 hours from the time of its activation.
  • Kill switch: A Responsible FI must provide account holders with kill switches to block further mobile and online access to the protected account.
  • Responsibilities during scheduled downtime: The obligations to provide real-time notifications and kill switches apply even during a scheduled system downtime.
  • Additional account holder duties: Account holders will be responsible for:
    • using strong passwords or strong authentication methods such as facial recognition or fingerprint authentication;
    • not jailbreaking or rooting devices they use;
    • downloading Responsible FI's mobile application from official sources only;
    • using a Responsible FI’s contact details obtained from official sources;
    • not clicking on unexpected links purportedly from a Responsible FI;
    • reading and understanding risk warning messages before performing high-risk activities;
    • reporting any unauthorised activity to the Responsible FI within 30 calendar days after receipt of notification for such activity; and
    • activating the kill switch provided by the Responsible FI upon being notified of an unauthorised transaction.
  • Dispute resolution process: A Responsible FI must:
    • have a dispute resolution mechanism to process disputes over claim investigation results (Disputed Investigation), including reporting channels for account holders to raise the Disputed Investigation;
    • complete a Disputed Investigation within 21 business days from its receipt, unless exceptional circumstances warrant an extension; and
    • waive or withhold settlement of charges directly relating to the disputed transaction until the final resolution of the Disputed Investigation, including after any dispute before the Financial Industry Disputes Resolution Centre (FIDReC).

Conclusion

The proposed changes to the EUPG introduce new wide-ranging duties and responsibilities on both Responsible FIs and account holders to address digital scams.  As noncompliance can lead to substantial financial losses, Responsible FIs and account holders should be mindful of the changes to the EUPG, and be ready to comply once the updated EUPG is finalised and implemented.

For More Information

OrionW regularly advises clients on payment services matters. For more information about the regulation of payments services in Singapore, or if you have questions about this articles or other payment services matters, please contact us at fintech@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.

Newsletter

Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Please read our Privacy Policy. You can unsubscribe at any time.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
contact us
OrionW LLC
Level 37, 16 Collyer Quay
Collyer Quay Centre
Singapore 049318

OrionW is a boutique law firm specialising in Singapore and cross-border corporate, commercial and regulatory matters, with a focus on technology, media and telecommunications (TMT) and financial technology (FinTech). We are dedicated to providing excellent legal service to clients at the leading edge of their markets.

OrionW LLC (UEN 201505714C) is a Singapore law practice incorporated with limited liability.