Timely Implementation of Shared Responsibility Framework in Malaysia

 

Introduction

In recent times, online or virtual scams have emerged as one of the pressing cybersecurity challenges across the globe, with increasing reliance on digital platforms for most daily activities.

The surge in scam cases in Malaysia has reached alarming levels, with Bukit Aman’s Commercial Crime Investigation Department recording 5,153 scam cases as of 2 February 2025. According to the statistics, this marks a 26% increase in cases from the same period last year. A significant portion of the scams stem from online scams, which remain the leading contributor to commercial crime in this country^[1]. 

Despite the devastating impact on victims, the prevailing narrative tends to attribute these incidents to victims’ greed, ignorance, or lack of digital literacy, thereby placing the financial burden on them. However, it is also worth considering whether other parties may have a role to play in preventing such incidents and sharing responsibility.

In light of this, Bank Negara Malaysia (“BNM”) and the Malaysian Communication and Multimedia Commission (“MCMC”) has introduced various measures and guidelines for Malaysian financial institutions (“FIs”), telecommunication companies (“telcos”) and other related industries to implement within their respective organisations in order to safeguard account users from prevailing online fraud[2]. In fact, some progressive banks and telcos have enhanced their security protocols by implementing additional layers of protection and introducing anti-scam related campaigns for purposes of educating the public. Nevertheless, it is evident that these measures must be further reinforced given the rising number of financial losses attributed to such scams.

 

A Shared Responsibility Approach

In many developed nations, cross-industry collaboration has played a crucial role in addressing online scams. By fostering joint initiatives among key stakeholders such as banks, payment service providers, and mobile network operators, these efforts ensure that the responsibility and liability for combating fraud are shared. This collective approach enhances fraud detection, strengthens consumer protection, and mitigates financial risks across the digital ecosystem.

A notable example in the region is the implementation of Singapore’s Shared Responsibility Framework (“SRF”)^[3], which promotes a collaborative effort among stakeholders to mitigate fraud risks and enhance consumer protection.

 

Functions and Responsibilities under the SRF

The SRF outlines the roles and accountabilities of consumers, FIs and any third-party service providers, as well as telcos in mitigating the risk of online scams. The framework primarily targets phishing scams where impersonators trick online users into revealing sensitive information, but it does not extend its protection to fraud schemes driven by malware or offline deception tactics. 

Some core obligations introduced by the SRF can be observed below:

 

Financial Institutions

• To implement a 24/7 reporting channel for reporting and blocking unauthorised transactions, and self-service features to block mobile and online access to the account.
• To impose a 12-hour cooling-off period when a digital security token is activated, or a login to an account is conducted on a new device, to prevent performance of high-risk activities.
• To block any transactions exceeding the prescribed threshold until further verification is obtained from the account holder.

 

Telecommunication Companies

• For SMS text messages containing sender identifications (“Sender ID SMS”) to only be delivered if it is received from authorised aggregators and block Sender ID SMS from unauthorised aggregators.
• To implement anti-scam filters to identify malicious URLs for all SMS text messages passing through a Telco’s network.

 

Consumers

• To practice good cyber hygiene and take active precautions in protection personal information or account credentials.
• To be aware and only trust details (i.e. phone numbers, website addresses, email addresses) of FIs issued by official sources.
• To only access informational links contained within text messages or emails that the account user is expecting to receive.

 

Allocation of Liability

The SRF also provides clear narrative on the responsibility for losses, which are determined on whether there has been compliance by respective stakeholders and consumers in relation to the framework. Liability under the SRF operates on a cascading “waterfall” approach, ensuring that accountability is assigned based on compliance with prescribed duties.

First level – Under this model, FIs bear the initial responsibility— if a bank fails to fulfill its obligations, such as implementing blocking mechanism for any transactions exceeding the prescribed threshold, it assumes liability for the customer’s losses.

Second level – However, if the bank has met its obligations but the telcos have fallen short, for instance, by failing to implement anti-scam filters to identify malicious URLs SMS text messages passing through its network, the telco then assumes responsibility. The framework ensures that liability is allocated fairly, holding service providers accountable for lapses within their respective domains.

Third level – Only when both the bank and the telco have demonstrated full compliance with their duties does the burden of liability shift to the consumer. At this stage, the consumer is expected to have exercised due diligence, such as safeguarding personal banking credentials, recognizing phishing attempts, and avoiding high-risk transactions. This structured approach aims to promote proactive risk management across all stakeholders while protecting consumers from undue financial losses caused by systemic vulnerabilities.

 

Impact of a shared responsibility framework in Malaysia

The introduction of a similar framework in Malaysia could provide consumers with better protection against online scams by promoting a more structured and fair approach to fraud prevention. By clarifying the responsibilities of FIs and telcos, the framework helps ensure that security measures such as transaction monitoring, scam detection tools, and fraud alerts are in place to reduce the risk of scams affecting consumers.

One of the key benefits of the SRF is that it encourages a more balanced approach to liability. Instead of placing the full burden of financial losses solely on victims, the framework holds FIs and telcos accountable when they do not meet their security obligations. This not only helps consumers feel more secure when making digital transactions but also reinforces the importance of preventive measures across different industries.

While the SRF marks a significant step forward in strengthening consumer protection, it must be complemented by enhanced public awareness and digital literacy. Consumers also play a crucial role in safeguarding themselves from scams and equipping them with the right knowledge is just as vital as regulatory enforcement.

 

Conclusion

The escalating surge in scam cases highlights the timely need for a comprehensive and collaborative approach to combat digital scams in Malaysia. While current initiatives are crucial in setting foundational safeguards, it is clear that the rapid growth of online fraud demands for the need for clearer delineation of responsibilities and broader collaboration between related industries and consumers alike within the country.

As the digital landscape evolves, so too must our strategies for combating fraud. The SRF model offers valuable insights into how such a collaborative framework can reduce risk and improve consumer protection.  If at all, these international best practices should be leveraged on to draw upon Malaysia’s own cybersecurity infrastructure, ensuring a safer digital environment for all. Ultimately, the success of such initiatives relies on the shared commitment of all involved to safeguard against the ever-growing threat of online fraud.