Earlier this year, it was reported that victims of online scams have collectively lost up to a total of RM3.2 billion between 2020 and 2023 in Malaysia¹. Common types of digital scams currently include phishing, formjacking, identity theft, fake anti-virus software and malware. In an effort to curb such scams, our former finance minister had this month² called for a law holding financial institutions and telecommunication companies (telcos) partially liable for financial losses resulting from digital scams to be introduced in Malaysia.  

As at today, victims of scams in Malaysia may seek existing avenues of recourse by commencing a civil action or reporting the matter to the relevant authorities, depending on the nature of scam. For instance:-

1. victims of cyber scams can resort to the Malaysian Communications and Multimedia Commission (MCMC);

2. victims of consumer-related scams may report to the Ministry of Domestic Trade and Consumer Affairs; and  

3. victims of financial scams can turn to Bank Negara Malaysia.

In this regard, Singapore may be a step ahead of the curve in Asia. The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority had late last year published a joint consultation paper proposing a SRF for phishing scams. The SRF focuses on phishing scams as they are a common and known scam type that result in unauthorised transactions in Singapore, and clear duties can be set for ecosystem players to safeguard against phishing risk³. Under Singapore’s proposed “shared responsibility framework” (SRF), financial institutions and telcos are to provide payouts to scam victims for a defined set of scams in cases where specific anti-scam duties are breached. Such framework is aimed at strengthening the overall resilience of Singapore’s digital landscape against the threats posed by cybercriminals.  

The following scams are excluded from the proposed SRF:-

1. Scams where victims authorize payments to the scammer, e.g. payments arising from investment or love scams;

2. Scams where a consumer was deceived into giving away his credentials to the scammer directly via text messages, and non-digital means;

3. Unauthorised transaction scam variants that do not involve phishing, e.g. hacking, identity theft, and malware-enabled variants; and

4. Malware scams.

The proposed SRF was intended to be implemented via a set of guidelines which will assign financial institutions and telcos relevant duties to mitigate phishing scams, and requires payouts to affected scam victims where duties are breached. Measures under the proposed SRF in Singapore include banks sending outgoing transaction alerts to customers, telcos implementing scam filters for SMS and strictly maintaining standards of anti-scam controls.

Under Singapore’s proposed SRF, a “waterfall” approach⁴ was to be adopted for sharing of responsibility, in that:-

1. The responsible financial institution is placed first in line and is expected to bear the full losses if any of its duties have been breached. This recognizes the primary accountability that financial institutions owe to consumers as custodians of their money.

2. If the financial institution has fulfilled all of its duties under the SRF, and the telco is assessed to have breached its SRF duties, the telco is expected to bear the full losses. Telcos’ placement in the “waterfall” approach is commensurate with their secondary and supporting role (relative to financial institutions) as an infrastructure provider for the SMS mode of communication.

3. If both the financial institution and telco have carried out their SRF duties, the consumer bears the full scam losses. However, the consumer may still pursue further remedies through existing avenues of recourse, such as through the Financial Industry Disputes Resolution Center (FIDReC).  

Aside from the SRF guidelines, MAS had proposed enhancements to its E-Payments User Protection Guidelines (EUPG). The EUPG deals with unauthorized and erroneous transations (and not just phishing scams), setting out the responsibilities of financial institutions and consumers, and their liability for losses. The proposed enhancements to the EUPG would cover added responsibilities of (i) financial institutions with regard to anti-scam measures in relation to phishing and malware-enabled scams; and (ii) consumers to take necessary precautions. As at the date of this alert, it is expected that the SRF will be rolled out in Singapore sometime in 2024 although there has been no further media reports on progress.

In Australia, its government had introduced the Scam-Safe Accord⁵, a concerted initiative led by the Australian Banking Association (ABA) and the Customer Owned Banking Association (COBA). The Accord includes six priority initiatives in a bid to make banking safer for Australian consumers which include: advanced name-checking technology, biometric checks, and intelligent threat-sharing mechanisms. These countermeasures aim to detect suspicious activities more effectively, disrupt scam operations and block the flow of funds into high-risk channels⁶. This Accord demonstrates commitment from Australia’s financial institutions, including community-owned banks, building societies, credit unions, and commercial banks, to elevate the standard of customer protection and effectively counter scams. At the same time, the Australian government is working on tough new industry codes for banks, telcos and digital platforms, which will set clear, robust obligations to protect Australians from scams which is targeted to sit alongside the work on cybersecurity and information privacy. However, it is pertinent to note that as at the date of this alert, the current codes applicable in Australia do not cover a liability shift from consumers to financial institutions and telcos, as in the case of the SRF in Singapore, despite recent calls by consumer groups and community legal centres to do so⁷.  

Over in the United Kingdom, a mandatory reimbursement requirement for authorized push payment (APP)⁸ fraud has been introduced, with such rules requiring UK payment service providers to reimburse all in-scope customers who fall victim to APP fraud, save for limited exceptions⁹. In this respect, all UK Payment Service Providers will be required to reimburse¹⁰ their customers for APP fraud losses, but there will be a ‘standard of consumer caution’ applied which could see reimbursement claims denied. Under this standard, customers might not be reimbursed if the financial provider can demonstrate the customer hasn’t been careful or cooperative enough. Hence, customers would need to pay attention to warnings about suspected APP fraud attempts from their bank, notify their bank about the fraud in good time, share information about the fraud with their bank, and consent to fraud details being reported to the police. With regards to liability of financial institutions, the responsibility for reimbursement is shared between the originating bank and receiving bank in relation to the APP fraud. This is in contrast with the “waterfall approach” adopted by the SRF to be introduced in Singapore.

Similar regulatory developments in relation to addressing scams are being developed across various jurisdictions, and countries across Asia are likely to observe and learn from these solutions tailored to each unique financial ecosystems and consumer base.  

Should a similar “shared responsibility framework” be adopted in Malaysia in relation to the accountability of financial institutions and telcos to consumers, it is pertinent for such framework to set out clearly the definition and scope of scams to be covered under such framework and the enforceability of such framework within the existing Malaysian legislative structure. Potential legal issues such as data protection issues and clear stages in the handling of claims process and dispute resolution process should also be considered. Further, the implementation of a “shared responsibility framework” in Malaysia may pose a set of challenges that span technological, operational, and regulatory domains. In this regard, financial institutions and telcos may face the need to overhaul existing technological systems to meet requirements imposed under such a framework.  

Alert by Annabel Kok (Corporate Partner) of Messrs Rajasekaran.

The contents of this alert do not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. If you require any further information, kindly contact annabel@rajasekaran.co.

Contact information:

Datin Jeyanthini Kannaperan Consultant Read Bio jeyanthini@rajasekaran.co

 

Annabel Kok Keng Yen Partner Read Bio annabel@rajasekaran.co

‍

‍