Lessons Learned from New Scam Regulations in Asia Pacific

Global news coverage has been paying a lot of attention to the recent regulatory developments addressing scams in Europe and in the United Kingdom. But these are not the only places where significant scam regulation and defense improvements are being deployed.

In this post we delve into how three countries in Asia Pacific are taking their own approach to combatting scams. In particular we will examine Hong Kong's innovative fraud alert system that bolsters consumer confidence, Singapore's Shared Responsibility Framework which outlines duties and responsibilities of not only the financial institutions (FIs), but also telcos, and Australia's comprehensive Scam-Safe Accord which wants to take data sharing to the next level.

In my opinion these varied approaches to protecting consumers and preserving the integrity of their financial systems will be an inspiration for regulators in other countries in the region and the world.  These changes will also inspire fraud and risk leaders to wonder and debate what is next for them.

Empowering Hong Kong Consumers with Scam Prevention Tools

In Hong Kong, the rise of digital transactions has been paralleled by an increase in financial scams. In response, Hong Kong has implemented a pioneering fraud alert system, setting a new standard in consumer protection and scam prevention that goes beyond what many govenments and countries use today in the form of Confirmation of Payee.

The initiative is a significant collaborative effort, bringing together the Hong Kong Police Force, Hong Kong Monetary Authority (HKMA), The Hong Kong Association of Banks, and 44 major retail banks. The solution, integrated into the Faster Payment System (FPS), allows for police and government officials to develop tools that consumers can use to better protect themselves from scams.

At the heart of this is Scameter, a mobile app that notifies users of high-risk transactions in real time. When a recipient’s proxy ID (phone number, email address or FPS identification code) on a FPS transaction is deemed as “High Risk” in the Scameter, the user of the application receives an immediate warning. This prompt alert mechanism empowers consumers to make informed decisions, helping protect them in real time and significantly reducing the likelihood of falling prey to scams.

In the image below you can see the type of alerts the Scameter app might provide to the person initiating the payment (image courtesy of Cyber Defender Hong Kong).

Despite these technological and data sharing advancements, Hong Kong's regulatory bodies remain vigilant, recognizing and highlighting to consumers that the absence of an alert does not guarantee transaction safety. Unlike some regulators across the globe, Hong Kong’s regulatory body has not indicated any plans to change the rules around the liability for the loss because of a scam, neither in favour of the consumer nor by putting more pressure on the receiving institution.

The solutions deployed by Hong Kong help to empower the consumers to be able to self-validate more effectively whether the payment they are making is a scam or not. But do they go far enough in dealing with the problem and ensuring the trust of customer in the payment network? And will the customers continue to be liable for loss even when the Scameter does not indicate a risk?

I suspect these are not the last measures Hong Kong will be implementing to mitigate scams.

Singapore’s Waterfall Shared Responsibility Framework

In Singapore's dynamic digital economy, the challenge of combating financial scams has led to the proposal for the Shared Responsibility Framework (SRF). Led by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA), the SRF represents a groundbreaking shift in scam prevention. It advocates for a collective responsibility model, allocating scam loss responsibilities among financial institutions (FIs), telecommunication operators (telcos), and consumers. This approach aims to foster a more integrated and cooperative ecosystem for digital transaction safety.

The SRF emphasizes the need for FIs and telcos to implement robust anti-scam measures. The framework significantly elevates the standard of consumer protection by ensuring that the entities directly involved in payment ecosystems or communication channels used by the fraudsters are more accountable for scam losses.

Under proposed legislative frameworks, these institutions would have to pay victims of scams if they are found to have come up short in fulfilling their protective duties outlined in the SRF legislation, such as:

1. For banks:
   1. Impose a 12-hour cooling off period upon activation of digital security token during which “high-risk” activities cannot be performed.
   2. Provide notification alert(s) on a real-time basis for the activation of digital security token and conduct of high-risk activities.
   3. Provide outgoing transaction notification alert(s) on a real-time basis.
   4. Provide a (24/7) reporting channel and self-service feature (“kill switch”) to report and block unauthorized access to their accounts.
2. For telcos:
   1. Connect only to authorized aggregators for delivery of Sender ID SMS to ensure these SMS originate from bona fide senders registered with the SSIR.
   2. Block Sender ID SMS which are not from authorized aggregators to prevent delivery of messages originating from unauthorized SMS networks.
   3. Implement an anti-scam filter over all SMS to block SMS with known phishing links.

Below you can see the example from the proposed legislation, outlining how the waterfall approach would work in practice:

While these details are still going through a consultative period before the new regulation is formally in place, this gives us a very good glimpse into what to expect from the Monetary Authority of Singapore.

My expectation is that these measures will expand beyond just financial institutions and telcos and will incorporate social media providers in the future (where most scams around the globe originate), and I would not be surprised to see the list of duties expected of all participants to expand.

The big question consumer protection groups will be asking is whether the liability change measure goes far enough in protecting the unsuspecting victims, especially in a world where AI makes it harder and harder to tell real from fake.

Australia’s Comprehensive Anti-Scam Initiative

Australia has also taken big strides in regulatory changes and introduced the Scam-Safe Accord, a concerted initiative led by the Australian Banking Association (ABA) and the Customer Owned Banking Association (COBA). This Accord shows commitment from Australia’s financial institutions, including community-owned banks, building societies, credit unions, and commercial banks, to elevate the standard of customer protection and effectively counter scams. It's a response to the alarming statistic that Australians lost $3.1 billion to scams in 2022, marking an 80% increase from the previous year. The Accord encompasses a series of comprehensive anti-scam measures, aiming to disrupt, detect, and respond to the evolving scam threats.

Consumer protection groups have been lobbying the Australian regulator to follow some of the other countries and deploy a Confirmation of Payee system. We can see the Australian regulator committing to that as part of their strategy with a $100 million investment in an industry-wide confirmation of payee initiative.

Other measures include the requirements for biometric checks for new online accounts, enhanced warnings, and delays for new payees or increased payment limits, and most importantly for the entire association to come together and invest in an expansive intelligence-sharing network across the banking sector. The objective of this data-sharing initiative is to help banks prevent more scams and recover funds for customers faster and more effectively.

Based on previous communication from the Australia’s National Anti-Scam Centre, I expect these measures will not stop at the financial institution only, and the data-sharing mechanisms will grow beyond just the banks. The regulators are already thinking about expanding the data distribution to other industries, such as telcos, enabling them to block a call, or digital platforms, which can take down a website or an account where the scam has originated.

The big question that remains unanswered for now is around the liability shift. Will the Australian regulator follow suit with the United Kingdom and enforce liability sharing between the receiving and originating bank? Will it take a similar stance to Singapore with a waterfall approach between different industries? Or will it leave the onus on the consumers to stay vigilant and look out for themselves?

Scam Regulations in Latin America

It’s intriguing to see how the topic of scam regulation is addressed across different countries, and taking a quick glance at Latin America, another region with paced fast growth in real-time payment services and digitally savvy consumer base, we see some similarities.

Brazil appears to be spearheading the regulatory changes in the region, with the recent deployment of Resolution 6, a change that requires financial institutions, payment institutions and other institutions authorized to operate by the Central Bank of Brazil to collect data on fraudulent transactions and to share that data.

They are looking at what is happening in United Kingdom, Europe & USA and are taking their own steps to secure their own payment ecosystem to maintain consumer trust in the highly popular real-time payment service Pix.

We expect to see developments and more news coming out from Mexico, Colombia, and Peru. My colleague Pierre Isensee takes a deeper look at the current state of scams and regulation across the Latin America in his latest post.

How to Prepare for Scams Regulations

The innovative and collaborative approaches to scam regulation in Hong Kong, Singapore and Australia offer valuable lessons and insights into different solutions to combating financial fraud. They each will have their pros and cons, and I’m fascinated by how diverse and different the stances are taken by the regulator in each country.

The focus of their approaches is tailored towards minimal disruption to the payment ecosystem and instilling consumer confidence in real-time payments. 

Countries across Asia are likely to observe and learn from these solutions — adapting and implementing similar strategies tailored to their unique financial ecosystems and consumer base.

What are the key areas that might see the most significant change over the coming years?

1. Data Sharing & Collaboration

As regulatory approaches that incorporate data sharing come into practice across many countries, I expect more movement to develop data-sharing platforms & fraud investigative processes that aim for simplicity, speed and accuracy. On top of that, we will see greater emphasis on cross-border cooperation to further investigations and policy development, such as the Multilateral Memorandum of Understanding in Americas.

2. Consumer Protection

The trend towards more consumer-centric regulations will continue. We will see more demand for laws that not only prevent scams but also provide robust support and protection for victims (including reimbursement). This shift will eventually lead to regulations that put more pressure not only on financial institutions and telecom services, but also on internet service providers and social media networks to collaborate and invest more in scam preventative measures.

3. Consumer Empowerment

The focus will remain to enable more direct involvement of consumers in scam prevention efforts, both through mass-marketing educational campaigns and tools that empower individuals to safeguard their own financial security (such as Scameter or Australia’s recently announced Confirmation of Payee project). On top of that, I fully expect more movement in this space in both the telco and social media industries, as they join efforts in highlighting risky accounts, phone numbers and other flags that help alerts recipients of potential scams.

4. Technological Advancements

We will witness an increased focus on the role of technology not just as a tool for fraud detection but also as a means of fostering safer digital transaction environments. Advancements in AI and machine learning will play significant roles in future regulatory frameworks, enhancing scam detection and reducing consumer friction. We’ve seen the pace at which AI has been moving over the past year — we need to ensure our tools are keeping up with the technology and are not left behind.

For example:

• Are my fraud tools flexible enough to ingest any sort of new information rapidly and utilize it in my transactional decisioning in real-time?
• Do I have the means to easily customize & develop my customer communication based on a plethora of factors and variables, build intelligence into the messaging, and adapt it to new circumstances at a minute’s notice?
• Do I have the right tools to use the great models my team is building in-house, or do I get hampered by inefficiencies and technological restrictions that prevent me from deploying these models into production?
• Do my fraud prevention tools allow me to evaluate data and decisions taken through the customer lifecycle, from application through early life all the way to extended life to make better and more informed decisions?

If you’re already facing such technological problems today, they will only grow and get compounded the more advanced AI and other technology gets.

Based on what we’ve seen around the globe, those financial institutions that are thinking ahead in the regulation game and helping to drive the conversations with regulators are most poised for success when change does occur.

FICO’s fraud consulting team stands ready to help customers in APAC address the issues raised by scams and new regulations.

How FICO Helps Detect and Prevent Scams

• Explore FICO’s innovative fraud protection technology
• Learn how real-time customer communications can help stop fraud
• Read about FICO’s award winning, machine learning-powered retail banking model with scam detection score
• Download the FICO 2023 Scams Impact Survey