26 October, 2018
On 13 February 2018, the Monetary Authority of Singapore (“MAS”) conducted a public consultation on the establishment of a framework to protect certain vulnerable users from losses, arising from unauthorised or erroneous payment transactions from accounts maintained with certain financial institutions (“FIs”), such as banks and holders of stored value facilities.
After receiving feedback from the public, MAS has on 28 September 2018 finalised its policy posture on the framework, and issued the E-Payments User Protection Guidelines (“Guidelines”).
Overview
The Guidelines aim to establish a common baseline protection offered by in-scope FIs in respect of losses arising from unauthorised or erroneous transactions, and cover the following areas:
(a) application of the Guidelines
(b) duties of account holders and users;
(c) duties of the in-scope FIs;
(d) liability for losses arising from unauthorised transactions; and
(e) specific duties in relation to erroneous transactions.
Application
In-scope FIs
The Guidelines will apply to the following FIs (“responsible FIs”):
(a) banks licensed under the Banking Act;
(b) non-bank credit card issuers licensed under the Banking Act;
(c) finance companies licensed under the Finance Companies Act; and
(d) holders of widely accepted stored value facilities approved under the Payment Systems (Oversight) Act.
In-scope accounts and holders
The Guidelines are meant to afford enhanced protection to individuals and sole proprietors, and will only be applicable in respect of a payment account (“protected account”) that:
(a) is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
(b) is capable of having a balance of more than S$500 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility; and
(c) is capable of being used for electronic payment transactions.
Duties of account holders and users1
The Guidelines set out the duties applicable to account holders and users of a protected account, as summarised below:
(a) account holders are expected to provide the responsible FI with complete and accurate contact information and monitor notifications;
(b) account users are expected to safeguard account access codes (eg to not voluntarily disclose codes to third parties, unless instructed to do so);
(c) account users are expected to protect access to the protected account (eg to ensure the device to access the protected account is secure and uses strong passwords);
(d) account holders are expected to report unauthorised transactions to the responsible FI as soon as practicable, after receipt of any alert for any unauthorised transaction via proper channels;
(e) account holders are expected to provide comprehensive information on unauthorised transactions within a reasonable time to the responsible FI; and
(f) account holders are expected to make a police report if the responsible FI requests such a report to be made to facilitate its claims investigation process.
Duties of the responsible FI
The Guidelines also set out the duties of responsible FIs. In summary, responsible FIs are expected under the Guidelines to:
(a) clearly inform the account holder of user protection duties, ie the duties of the account holder and account user (as set out above), and the responsible FI (as set out below);
(b) provide timely transaction notifications to account holders in respect of all transactions made to or from the account holder’s protected account2;
(c) provide recipient credential information, ie an onscreen opportunity for an account user of a protected account, to confirm the payment transaction and recipient credentials before the transaction is executed;
(d) provide reporting channels for the purposes of reporting unauthorised or erroneous transactions;
(e) assess claims and complete claims investigation related to unauthorised transactions to determine account holder’s liability; and
(f) credit the account holder’s protected account with the total loss arising from any unauthorised transaction, where it has been determined that the holder is not liable for any such loss.
Liability for losses arising from unauthorised transactions3
The Guidelines set out the circumstances under which an account holder of a protected account is liable for losses arising from unauthorised transactions, as follows:
(a) the account holder of a protected account is liable for actual loss arising from an unauthorised transaction where, any account user’s recklessness (eg non-compliance with his duties under the Guidelines) was the primary cause of the loss. The actual loss that the account holder is liable for is capped at any applicable transaction limit or daily payment limit that the account holder and responsible FI have agreed to;
(b) the account holder of a protected account is not liable for any loss arising from an unauthorised transaction if, the loss arises from any action or omission by the responsible FI (eg fraud, negligence, or non-compliance of duties by the FI) and does not arise from any failure by any account user to comply with any of his duties under the Guidelines; and
(c) Where the loss arises from any action or omission by any third party independent of the responsible FI and does not arise from any failure by any account user to comply with any of his duties under the Guidelines, the account holder of a protected account is not liable for any loss arising from an unauthorised transaction that does not exceed S$1,000.
In this regard, responsible FIs will likely be expected to revise their account agreements to give effect to the above standards set by MAS.
Notwithstanding the above:
(a) where the account agreement specifies a lower amount for the account holder’s liability in the same situations described above, the responsible FI should honour such lower amount; and
(b) the responsible FI may offer to reduce the account holder’s liability specified above, on a case by case basis.
Specific duties in relation to erroneous transactions4
The Guidelines also set out the duties applicable to FIs and account holders in respect of erroneous transaction, as follows:
(a) duty of FIs: Where an account holder has informed his responsible FI that he or an account user has initiated an erroneous transaction, and the account holder’s FI has informed the wrongful recipient’s FI of the erroneous transaction, the FIs of both the account holder and of the wrong recipient should make reasonable efforts to recover the sum sent in error.
That said, the FIs are not expected to resolve each erroneous transaction claim but to facilitate effective communication between the account holder and the recipient with the aim to improve the account holder’s chances of recovering the payment amount sent through the erroneous transaction; and
(b) duty of the account holder: The account holder is expected to provide all information on erroneous transaction requested by the responsible FI.
The Guidelines, which will become effective on 31 January 2019, can be accessed here.
1 Under the Guidelines:
“account user” refers to: (a) any account holder; or (b) any person who is authorised in a manner in accordance with the account agreement, by the responsible FI and any account holder of a protected account, to initiate, execute or both initiate and execute payment transactions using the protected account; and
“account holder” refers to any person in whose name a payment account has been opened or to whom a payment account has been issued, and includes a joint account holder and a supplementary credit card holder.
2 This duty only applies in respect of a credit card, charge card or and debit card issued by the responsible FI.
3 This does not apply to any responsible FI in respect of any credit card, charge card or debit card issued by the responsible FI.
4 Under the Guidelines, an “erroneous transaction” is a payment transaction from a protected account such that money has been placed with or transferred to the wrong recipient.