BUILDING AN INCLUSIVE AND SAFE DIGITAL SOCIETY: That this House reaffirms our commitment to adopt a whole-of-nation approach to sustain trust by building an inclusive and safe digital society.
Mr Speaker Sir,
I rise to speak in support of the motion.
PSP agrees that a whole-of-nation approach to build an inclusive and safe digital society is very much needed. As society digitalised over the past decade, there has been an increase in the prevalence of many varieties of online scams which has lowered the trust level of many Singaporeans in digital tools. Horror stories abound of people losing their life savings in a twinkling of the eye. Last year, my parents gave me half their life savings to put in MY bank account, not in theirs, because they are not confident of not losing it to scams. Their trust level in the security of their money in their bank account has never been so low in their entire lives. I am sure that many other Pioneer and Merdeka Generation Singaporeans share my parents’ sentiment.
Over the years, the Government has been promoting financial self-reliance by Singaporeans. For most of us, our own savings is what we have to rely on to meet our expenses and to live in dignity. Any compromise to the security of our savings is a big deal to us. Given the gravity of the issue, I feel that the Government can do more to safeguard citizens’ savings and foster a strong culture of consumer protection.
Limited scope of Shared Responsibility Framework
The proposed Shared Responsibility Framework (SRF), which assigns financial institutions and telcos relevant duties to mitigate phishing scams, and requires payouts to affected scam victims where these duties are breached, is a step in the right direction, but it is just a baby step. There are two main issues with the SRF.
Firstly, the SRF has a limited scope. It only covers phishing scams, and does not cover the whole range of other scams including malware scams, police official scams, investment and love scams. Its protection is thus rather limited. For example, in the recent case of a family losing their life savings due to downloading malware when they tried to buy organic eggs, the SRF does not help them at all.
Secondly, the duties that financial institutions and telcos are required to carry out are extremely limited. For example, under the SRF, financial institutions are directed to perform four duties:
- Impose at least a 12-hour cooling period after activation of digital token during which high-risk activities cannot be carried out,
- Send notification alerts for activation of digital token and conduct of high-risk activities,
- Provide outgoing transaction notifications by way of SMS, email or in-app notification selected by the consumer and
- Provide a 24/7 reporting channel and a self-service feature for consumer to promptly block online payment transfers from their accounts.
These four duties do not create a sufficient incentive for financial institutions to proactively protect their customers and to remove potential for fraud from their systems. While vigilance and personal responsibility of the consumer are a critical line of defence against scams, the average consumer has less resources to protect themselves against scams as compared to financial institutions.
Financial institutions have the capacity to do more to protect consumers against scams with systems to monitor transactions and detect suspicious payment flows. Large overseas transactions by individuals who rarely or never perform them should immediately trigger alarm bells within the systems of financial institutions. This would not affect businesses that regularly perform such transactions, and would not be difficult to implement given the scale and capacity of the IT infrastructure at financial institutions.
In contrast to Singapore’s framework, jurisdictions like the UK have moved towards mandating full reimbursement to scam victims by banks, except in cases of fraud or gross negligence by the consumer. This model has also been considered in Australia and the EU.
I acknowledge that there are moral hazard issues with a full reimbursement, and would thus like to suggest a co-sharing of liabilities between the bank and the consumer.
In assessing the issue of online scams, there is a trade-off between financial security on the one hand and convenience and productivity on the other. If banks are totally not liable for any losses, then they have only financial incentives to move more and more towards digital financial transactions and services due to the savings in manpower costs. The cost of digital financial transactions come in the form of greater ease of losing huge amounts of money, and it is being borne by bank customers, especially the most vulnerable. In addition, banks are in control of the security features in their banking apps and the payment processes, but customers, who have no control over those, pay the price for any inadequacies. This is clearly not balanced and hence not tenable.
In considering the trade-off between financial security and convenience and productivity, it may be difficult for the authorities to draw a line for everyone. For example, when OCBC introduced security features in their banking app that prohibited the downloading of suspicious apps, there were complaints from some customers. It is foreseeable that different customers will have different needs. But there is no need for a one-size-fits-all. I urge the Government to consider a multiple-tiered system with different levels of security vs convenience.
Banks can offer different versions of banking apps and processes, for example, one with maximum security features and low convenience and it comes with a 75% reimbursement of financial losses by the banks in cases of online scams not covered by the SRF. Another with lower security features and comes with a 50% reimbursement for customers who need greater convenience. Banks can adjust the security features in their apps and processes to commensurate with the different level of liabilities. For example, banks might want to re-evaluate the benefits of requiring a separate physical token. The Honorable Member Ms Sylvia Lim had spoken previously about the difficulties of getting one from the bank. Whilst the token is an additional cost for banks, it provides the added security of requiring a second device for the authorisation of transactions, not just a handphone which can be hijacked by malware. Using again the example of the family involved in the recent egg scam, if a physical token had been required, the family might not have lost their life savings.
Banks are private commercial entities. They are expected to conduct cost benefit analysis in evaluating any investments in additional security measures. But the government can alter their cost benefit analysis by imposing a loss-sharing arrangement, which can lead to a different decision.
Reimbursements can be subject to an upper limit of a loss amount equivalent to the basic retirement sum.
Under such a model, both the banks and their customers share the liabilities of any losses due to scams and they both have incentives to be vigilant. Customers can choose the level of security they are comfortable with. Banks will have incentives to push online transactions in line with their ability to provide security, thereby ensuring that the development of digital financial transactions is a more balanced and holistic one. The maximum limit on reimbursement helps to limit the banks’ exposure and at the same time ensure that the most protection is given to the most vulnerable.
CPF Board should be assigned duties to mitigate scams
Another institution to which duties should be assigned to mitigate scams is the CPF Board, where many Singaporeans’ life savings are held. It is very worrying that recently, there has been a trend where CPF accounts were emptied by scammers who had taken control of the user’s SingPass and bank accounts. It was only in June 2023 that the CPF Board and GovTech introduced Singpass Face Verification as a step-up authentication challenge for certain CPF e-services.
In October 2023, my colleague Mr Leong Mun Wai asked a Parliamentary Question regarding why the CPF website has not implemented security measures commonly implemented by banks, such as transaction limits and kill switches. It is heartening to know that with effect from 30 November 2023, a default online CPF withdrawal limit of $2,000 a day will be applied to all CPF members aged 55 and above.
However, this default daily limit can still be adjusted to any amount up to $200,000 at any time online. This includes those CPF members who have activated the CPF Withdrawal Lock which instantly sets the daily withdrawal limit to $0.
Singpass Face Verification is required for changing the withdrawal limit. I would like to ask the Government for a confirmation on whether the face verification can be passed by using a photo of the scam victim? Would it strengthen the protection to require CPF members who have activated the CPF Withdrawal Lock to change the withdrawal limits in person at a CPF service centre, similar to the arrangement for the banks’ money lock accounts?
The same duties that we impose on banks to protect the savings of bank customers should also similarly be imposed on CPFB to protect the retirement savings of CPF members.
Finally, I would like to talk about SingPass. We have seen examples of how scammers can take control of victims’ SingPass. I am concerned about the wealth of information available in SingPass – information like family members, education background, income and CPF information etc. If scammers took control of victims’ SingPass, wouldn’t they gain very comprehensive information about individual victims and their family members, to enable them to device more ways of scamming? Is this wide range of information necessary? Would the government consider re-introducing physical tokens for SingPass?
Mr Speaker, Mandarin please.
As a nation, we need to adopt a proactive and holistic approach to fight scams and create an inclusive and safe digital society for all. Scams have serious consequences for victims. Beyond financial losses, victims also suffer from mental and emotional trauma, such as the embarrassment of having fallen for a scam. There are also financial implications on their family members, such as a child who may by law be responsible for the maintenance of a parent who has lost their life savings to a scammer.
Society must ultimately pick up the tab when people lose their life savings to scammers and their ability to live independently, and must instead rely on handouts and charity to survive.
A recent study by the Global Anti-Scam Alliance revealed that Singapore has the dubious honour of being the country with the highest amount lost to scams per victim. This makes Singaporeans the most attractive targets for scammers. There is much more we can do as a nation to create a safer digital society. Let us all work together to achieve this.