LawFlash

MAS Issues Circular on Anti-Scam Measures for Major Payment Institutions That Provide E-Wallets

01 novembre 2024

The Monetary Authority of Singapore (MAS) published the Circular on Anti-Scam Measures by Major Payment Institutions Providing Personal Payment Accounts That Contain E-money on 25 October 2024, setting out MAS’s supervisory expectations of major payment institutions (MPIs) that are licensed under the Payment Services Act 2019 to carry on a business of providing an account issuance service and that issue personal payment accounts containing e-money (e-wallets) in relation to anti-scam measures.

On 15 December 2023, the Payment Services Regulations 2019 were amended to raise the regulatory limit on the stock cap and flow cap for e-wallets. MPIs that issue e-wallets (MPI e-wallet providers) can now provide individual customers with a stock cap of up to SGD 20,000 (previously SGD 5,000) and a flow cap of up to SGD 100,000 (previously SGD 30,000).

The Circular provides the following:

  • MPI e-wallet providers that wish to raise the stock and/or flow caps for their customers’ e-wallets beyond the previous regulatory limits of SGD 5,000 and SGD 30,000, respectively, are expected to implement the anti-scam measures set out in Annex A of the Circular prior to adopting the higher e-wallet caps.
  • MPI e-wallet providers that do not wish to adopt the higher e-wallet caps should consider the anti-scam measures and progressively implement these measures over time.
  • The board and senior management of each MPI e-wallet provider that adopts the higher e-wallet caps are responsible for ensuring that adequate anti-scam measures are implemented, including establishing a robust governance framework for the oversight of consumer scam risk and fair treatment of customers as well as an incident management process to enable a prompt and coordinated response to targeted and severe scam attacks against customers.
  • In the event that customers bring disputes for losses arising from scams, such disputes should be assessed by an independent unit that is separate from the business functions of the MPI e-wallet provider.

ANTI-SCAM MEASURES TO BE IMPLEMENTED BY MPI E-WALLET PROVIDERS

Preventive Measures

Restrictions on sending clickable links or quick response (QR) codes via email short message services (SMS) or phone numbers via SMS

MPI e-wallet providers should not send clickable links or QR codes via email or SMS to an e-wallet user unless:

  • it is a link or QR code that only contains information for the e-wallet user and does not lead to (1) a website where the e-wallet user provides access codes or performs any payment transaction or (2) a platform where the e-wallet user is able to download and install applications;
  • the e-wallet user is expecting to receive the email or SMS from the MPI e-wallet provider.

MPI e-wallet providers should not send phone numbers via SMS to an e-wallet user unless the e-wallet user is expecting to receive the SMS from the MPI e-wallet provider.

Twelve-hour cooling-off period upon logging in to e-wallet on a new device

When there is a login to an e-wallet holder’s e-wallet on a new device, the MPI e-wallet provider should impose a cooling off period of at least 12 hours from the time of login on the new device where high-risk activities cannot be performed on the e-wallet holder’s e-wallet using the new device.

Additional confirmation when performing high-risk activities and large funds transfers

MPI e-wallet providers should obtain additional confirmation from an e-wallet user prior to allowing any high-risk activity or funds transfers exceeding SGD 1,000 to be performed on the e-wallet, such as by requiring the user to key in additional access codes or other equivalent authentication methods. E-wallet users should also be informed of the risks and implications of performing such high-risk activity or funds transfers at the point immediately before they perform such activity or funds transfer.

Default transaction limit

MPI e-wallet providers should set a default transaction limit of at most SGD 1,000 on outgoing payment transactions from e-wallets [1] and may allow e-wallet users to subsequently adjust their transaction limits above SGD 1,000 if the e-wallet user chooses to do so.

The default transaction limit does not apply to payment transactions that do not draw down from the balance of e-money in the e-wallet holder’s e-wallet and do not need to be applied to scheduled recurring outgoing payment transactions where an e-wallet user’s instructions in respect of such payment transactions were made prior to the MPI e-wallet provider adopting higher e-wallet caps.

Default limit on top-up sources linked to each e-wallet

MPI e-wallet providers should as a default allow no more than two top-up sources (e.g., each bank account, credit card) to be linked to each e-wallet that is issued by the MPI e-wallet provider, if the said top-up source is not verified to be owned by the e-wallet user.

If the e-wallet user wishes to link a top-up source to more than two e-wallets provided by the MPI e-wallet provider, where the said top-up source is not verified to be owned by the e-wallet user, the MPI e-wallet provider should conduct proper due diligence before acceding to the request including seeking explanation from the e-wallet user on the reasons for the request.

The above measures need not be applied to top-up sources that were linked to the e-wallet holder’s e-wallet prior to the MPI e-wallet provider adopting higher e-wallet caps.

Flexibility to opt out of having higher e-wallet caps

MPI e-wallet providers should provide e-wallet users with the choice of opting out from having the higher e-wallet caps.

Detective Measures

Outgoing transaction notification alerts

MPI e-wallet providers should provide transaction notification alerts on a real-time basis for each outgoing payment transaction to each e-wallet holder that the MPI e-wallet provider has been instructed to send transaction notification alerts to in accordance with the relevant transaction notification threshold.

The transaction notification alert will need to satisfy certain criteria such as being sent to the e-wallet holder’s account contact by way of SMS, email, or in-app/push notification and containing certain prescribed information.

Default transaction notification thresholds

MPI e-wallet providers should set the default threshold for outgoing transaction notification alerts at SGD 0. In other words, notification alerts are to be sent for all outgoing payment transactions by default to enable early detection of fraudulent transactions from the e-wallet. MPI e-wallet providers may provide e-wallet users with the option to subsequently adjust their transaction notification threshold if the e-wallet user chooses to do so.

Notification alerts for login to e-wallet on new device or high-risk activities

MPI e-wallet providers should provide notification alerts on a real-time basis to the e-wallet holder when there is a login to their e-wallet on a new device or when any high-risk activities are performed.

The notification alert must fulfil certain criteria including being sent to the e-wallet holder’s existing account contact with the MPI e-wallet provider by way of SMS, email, or in-app/push notification and containing certain prescribed details.

Real-time detection and blocking of suspicious transactions

MPI e-wallet providers presently have an ongoing obligation under the PSN01 on Prevention of Money Laundering and Countering the Financing of Terrorism – Holders of Payment Services Licence (Specified Payment Services) to monitor, on an ongoing basis, transactions undertaken by customers throughout the course of business relations, including implementing adequate systems and processes to detect complex, unusually large, or unusual patterns of transactions that have no apparent or visible economic or lawful purpose and report suspicious transactions in a timely manner.

To mitigate the risk of higher scam losses from e-wallets, or e-wallets being used as a means for moving scam proceeds, MPI e-wallet providers should have capability to detect and block suspicious transactions at all times and inquire into the authenticity of suspicious transactions before allowing such transactions to be executed.

MPI e-wallet providers should review the effectiveness of fraud detection parameters on an annual basis, or as and when there are material triggers.

Remedial Measures

Provision of reporting channel

MPI e-wallet providers should provide e-wallet users with a reporting channel that is available at all times for the purposes of reporting unauthorised or erroneous transactions and blocking further access via mobile and online channels to the user’s e-wallet. The reporting channel is required to adopt certain characteristics.

MPI e-wallet providers should have the ability to freeze compromised accounts immediately upon reporting by e-wallet users and also have dedicated personnel to act as a single point of contact for scam victims to follow up on the status and investigation progress of their case.

Self-service feature (kill switch)

MPI e-wallet providers should provide a kill switch for an e-wallet holder to promptly block access to their e-wallet and disallow outgoing payment transactions to third parties.

The kill switch should be made available in a prominent manner via the mobile application of the MPI e-wallet provider or the reporting channel provided by the MPI e-wallet provider to report unauthorised transactions.

NEXT STEPS

MPIs that provide e-wallets and are intending to adopt the higher stock and/or flow caps for their customers’ e-wallets caps should review their current operations and risk and governance and incident management frameworks to ensure that the anti-scam measures set out in the Circular are adopted prior to raising the e-wallet caps.

MPIs that provide e-wallets but do not intend to adopt the higher e-wallet caps should still consider the anti-scam measures as the regulator’s expectation is for such MPIs to progressively implement these measures over time.

The anti-scam measures set out in the Circular may be reviewed and updated by MAS to take into account future developments in the scams landscape and new scam typologies. This is a developing area, and MPI e-wallet providers should keep a close watch on the changing regulations in this area. The Circular should be read in conjunction with the E-Payments User Protection Guidelines, which were amended 24 October 2024, with the revised Guidelines to take effect on 16 December 2024.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:

Authors
Wai Ming Yap (Singapore)*
Joo Khin Ng (Singapore)*
Bernard Lui (Singapore)*
Gina Ng (Singapore)*

*A solicitor of Morgan Lewis Stamford LLC, a Singapore law corporation affiliated ‎with Morgan, Lewis & Bockius LLP

[1] Including scheduled recurring outgoing payment transactions but excluding (1) all outgoing payment transactions initiated by way of using the e-wallet card at physical point-of-sale terminals or ATMs and (2) all outgoing payment transactions made between two payment accounts held in the name of the same person.