Fend off fraud initiatives

The Shared Responsibility Framework (SRF) was announced on 24 Oct 2024 after a public consultation exercise published on 25 Oct 2023 by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA). Taking effect from 16 Dec 2024, the SRF is a loss sharing framework managing phishing scams with a digital nexus between financial institutions (FIs) and telecommunications companies (telcos).

The SRF outlines specific responsibilities for FIs which includes:

• putting in place real- time fraud surveillance to detect in-scope unauthorized transactions particularly in a scenario where an account is rapidly drained of a material* sum
• providing a 24/7 reporting channel and self-service feature for customers to immediately block further access to their accounts
• implementing a cooling period of at least 12 hours for high-risk transactions when a new device is provisioned to their mobile banking app
• sending outgoing transaction notification and real-time alerts for activation of digital tokens including conduct of high-risk activities to customers. 

*This applies to account balances of SGD50,000 or more and online transaction payments resulting in more than 50% of account balances transfer out within 24hrs (excludes standing instructions or bill payments maintained with the bank) where the transaction and all subsequent online banking payments would be blocked until the FI is able to obtain further verification from the account holder.

Telcos are required to secure SMS channels by using authorized aggregators and employing anti-scam filters to block suspicious links in SMS messages. The framework follows a ‘waterfall’ approach to determine financial liability with banks typically bearing primary responsibility and telcos accountable if SMS-related vulnerabilities contributed to the scam.

While the regulators and the financial sector step up anti -scam measures to protect and support unfortunate scam victims, customer vigilance play an important part in the ecosystem of defense and are strongly encouraged to keep up with good security practices to protect themselves. Customers have responsibilities under the SRF and the E-Payments User Protection Guidelines (“EUPG”) such as the need to embed good cyber hygiene and safe practices in their daily lives, not clicking on unverified links provided in emails or SMS and maintaining healthy skepticism against deals or promises that are too good to be true.

Duties of customers outlined in Section 3 of EUPG include:

• providing complete and accurate contact information to receive outgoing transaction notifications from FIs
• protecting your access codes secure and access to your account
• monitoring outgoing transaction notifications from FIs, reading content sent with access codes before completing payment transactions or high-risk activities
• understanding the risks and implications of performing high-risk activities
• referring to official sources to obtain website address and phone no of FIs
• reporting unauthorized activities as soon as practicable to FI, and no later than 30 calendar days after receipt of any notification alert for any unauthorized activities
• providing supporting information on the unauthorised transaction such as police report and digital communication trail(s) within 3 calendar days from the date of the notification of the seemingly authorised transaction to the FI, in order to facilitate the claims investigation process
• Activating kill switch provided by the FI to block further digital access to their account if they have reason to believe that their account has been compromised

More information is available at MAS website MAS and IMDA Announce Implementation of Shared Responsibility Framework from 16 December 2024.

Duties of responsible financial institutions and customers in relation to unauthorized and erroneous payment transactions in relation to protected accounts and guidance on liability for losses arising from unauthorized transactions are set out in E-Payments User Protection Guidelines.

I might be a target of scam/fraud activities. How can I block access to my accounts?

You can block access to your current, savings accounts and internet banking facilities through our automated phone banking system immediately in the event of a scam. 

If you need to block your credit card, you can do so using our HSBC Singapore mobile app. Alternatively, you may also speak to our phone banker for further assistance.

Please refer to Online Banking FAQ for details.

Money Lock is our latest anti-scam feature which adds an extra layer of security to your current and savings accounts. This feature safely locks away your funds in local and foreign currencies while continuing to earn the same interest rate, where applicable.

Visit HSBC Singapore app FAQ to find out more.

HSBC has in place security features in our mobile app to provide an additional layer of security for your online banking. These includes:

• Temporarily block/unblock your credit/debit cards
• Report lost or stolen debit/credit cards and request replacements instantly
• Use the app as your Digital Secure Key to authorize transactions

See more information on Mobile Banking with HSBC SG App

Digital Secure Key is a digital version of your physical Security Device that can be accessed from your HSBC Singapore app and it replaces your physical Security Device.  Its functions include generating a unique, one-time use security code for logging onto Online Banking and accessing to the full range of online banking services while providing extra protection for your transactions.

Have a question on Digital Secure Keys? Check Security token frequently asked questions

This is an additional security measure in case Digital Secure Key was set up without your knowledge. If you receive an SMS from us saying your Digital Secure Key has been set up, but you didn't authorize it, the 12-hour waiting period will give you time to report the issue to us.

Check Online Banking FAQ for more information.