The Monetary Authority of Singapore (MAS) has proposed new E-payments User Protection Guidelines (Guidelines) to encourage the wider adoption of electronic payments (e-payments) by individuals or micro-businesses by enhancing consumer or account user protection. Most banks and other providers of mainstream e-payment accounts already provide certain levels of protection against losses arising from unauthorised or mistaken e-payments in their account terms and conditions, particularly if those providers have adopted payment card scheme rules and the Association of Banks in Singapore’s Code of Consumer Banking Practice. MAS aims to make e-payments simpler and more secure to use by:
- Standardising the protection given to users arising from unauthorised or mistaken e-payment transactions under the Guidelines; and
- Assuring e-payment users that they are protected from unlimited liability where the loss arises from situations they are not responsible for.
MAS has released a consultation paper on the Guidelines, the consultation period for which closes on 16 March 2018. Scope of the Guidelines The Guidelines will apply to the following financial institutions (FIs):
- Banks and non-bank credit card issuers under the Banking Act;
- Finance companies under the Finance Companies Act; and
- Widely accepted stored value facility holders under the Payment Systems (Oversight) Act, but not transport stored value cards (MAS intends the Guidelines to protect e-payment users from higher value losses).
MAS intends the Guidelines to provide general guidance, but not replace nor override any legislative provisions. The Guidelines should be read in conjunction with the related legislation, subsidiary legislation as well as written directions, notices, codes and other guidelines issued by MAS. Protections The Guidelines will only cover the following account holders (including supplementary credit card holders and a joint account holders):
- Individuals; and
- Micro-businesses, which MAS defines as any business employing fewer than 10 persons or with an annual turnover of no more than SGD 1 million.
Payment accounts should be of the type that:
- Allow for electronic payment transactions to be made; and
- Are operated by a bank, credit card company, finance company or widely accepted stored value facility holder.
The Guidelines will protect payment accounts that are credit facilities or have a load capacity of greater than SGD 500 where a large amount of account user funds may be lost in an unauthorised or mistaken payment transaction. The account holder who takes proper care of its account will not liable for any loss arising from an unauthorised transaction if the loss arises from any of the following situations:
- Fraud or negligence by the responsible FI, its employee, its agent or any third party engaged by the responsible FI;
- Fraud or negligence by a merchant from whom any account user purchases or has previously purchased goods or services, or that merchant’s employee or agent;
- A device including an authentication device, access code, unique identifier, application or system that is not valid, including one that is compromised, forged, faulty, expired or terminated, but not by reason of any account user’s action;
- A payment transaction requiring the use of an authentication device, access code or unique identifier, that is initiated or executed before any account user received the authentication device, access code or unique identifier;
- A payment transaction that was initiated or executed after the responsible FI was informed by any account holder that there has been a breach or loss of the protected account or any authentication device or access code for that protected account;
- Any account holder shows that the account user has not contributed to the loss, and where the account holder shows that the account user complied with Part B, that fact shall be one factor the account holder may rely on in assisting the account holder to show that the account user has not contributed to the loss; or
- The responsible FI did not comply with any of the user protection duties set out in the Guidelines and such non-compliance caused the loss.
Limits and Exceptions
The Guidelines also sets the following limits to the FI's exposure:
- A negligent account holder will be liable SGD 100 of the total loss arising from any unauthorised transaction if any user of the account contributed to the loss by misplacing the account authentication device or access code or delaying reporting of the unauthorised transaction; and
- A reckless account holder will be liable for the full loss arising from an unauthorised transaction if the FI can show that the account holder failed to carry out its duties under the Guidelines, such as:
- Failed to monitor transaction notifications or failed to report any unauthorised transactions by the next business day from receipt of any transaction notification;
- Failed to protect or disclosed access codes; or
- Failed to protect access to the account (for example install and maintain regular security updates and the latest anti-virus software on the device used to access the protected account; or use strong passwords).
The Guidelines will not cover scams and other transactions generally intended to deceive and cheat, as MAS determines these are more suitably addressed through police investigations and more specialised guidelines.
Effect on FIs
FIs should take full note of their responsibilities set out in the Guidelines and adjust both their internal polices as well as their customer terms and conditions to ensure full compliance. Internal policies Ensure the transaction notifications sent to each account holder fulfils the all Guidelines criteria on:
- Comprehensiveness of transaction information and recipient credential information; and
- Provision of a contact to report unauthorised or erroneous payment.
Except where the FI believes the account holder was negligent or reckless, the FI should credit the account holder with the total loss arising from any unauthorised transaction, regardless of whether the investigation of any claim is still underway. Understand and apply the processes and timelines expected of the FI in order to comply with the Guidelines' "reasonable efforts to recover sums sent in error". Customer terms and conditions Set out the Guidelines' user protection duties in the account agreement. Obtain the account holder’s written acknowledgement of the user protection duties which comprise: