Digital technologies have become an ever-present feature of our day-to-day life, and with it, so too has the risk of abuse by malicious actors. Notably, Short Message Service ("SMS") has become a channel that scammers commonly use to conduct their illicit activities.
The Infocomm Media Development Authority ("IMDA") has been working to address the threat of SMS and phone scams, building multiple layers over the years to safeguard such communication channels. On 15 August 2022, IMDA issued consultation papers on its new proposed measures to further safeguard SMS messages. The proposed measures are:
- Full SMS sender ID registration; and
- Implementation of anti-scam filter solution within mobile networks.
Responses to the respective consultations should be submitted to IMDA by 9 September 2022.
The proposed measures will affect businesses and organisations that utilise SMS in their operations, by introducing new registration requirements. They will also require Mobile Network Operators ("MNOs") to implement new protective measures within their network.
This Update highlights the key points of the consultation papers and the new proposed measures.
Full SMS Sender ID Regime
One common method scammers employ is to masquerade their SMS sent to Singapore mobile users using the same alphanumeric sender identification ("Sender ID") used by genuine businesses and organisations, so as to deceive victims into divulging sensitive information.
To combat this, in March 2022, IMDA established the Singapore SMS Sender ID Registry ("SSIR"), which is a central body for the registration of Sender IDs to be used in Singapore. SMS that attempts to spoof the registered Sender IDs will be blocked upfront, thus reducing the risk of scams. However, the SSIR is currently a voluntary system for organisations that wish to register and protect their Sender IDs, meaning that scammers may still spoof non-registered Sender IDs.
IMDA is now proposing to make SSIR participation and registration mandatory for all organisations that choose to use Sender IDs to send SMS to Singapore mobile users. Only registered Sender IDs may be used to send SMS, and all non-registered Sender IDs will be blocked.
The proposed full SSIR regime introduces new requirements for organisations and aggregators who wish to handle SMS with Sender IDs to Singapore mobile users:
- Organisations – Merchants and organisations that use SMS Sender IDs must register with the SSIR using their local unique entity number ("UEN") as issued by relevant government agencies, and provide the list of Sender IDs that they wish to protect. The costs of registration are a one-time set up fee of S$500 and yearly fee of S$1,000 for up to 10 Sender IDs that the organisation wishes to protect. The organisations will then need to choose aggregators that are licensed by IMDA and registered with the SSIR to handle these SMS to be sent to Singapore mobile users.
- Aggregators – All aggregators that wish to handle SMS with Sender IDs sent to Singapore mobile users must obtain minimally a Services-Based Operator (Class) licence from IMDA. To qualify for a Services-Based Operator (Class) licence, the aggregator must be a company incorporated, a foreign company registered under the Singapore Companies Act or a Limited Liability Partnership or Limited Partnership registered with the Accounting and Corporate Regulatory Authority ("ACRA"). Licensed aggregators must comply with regulatory requirements such as performing Know Your Customer ("KYC") processes on the organisations for which they are sending SMS to ensure they are genuine.
IMDA is proposing to provide a transition period starting in October 2022 before the full SSIR regime commences in December 2022. During the transition period, the SSIR will still be a voluntary regime but organisations and aggregators can start to register with the SSIR, as well as implement the relevant policies and processes. Once the full SSIR regime commences, organisations will not be able to send SMS with unregistered Sender IDs to Singapore mobile users.
Anti-Scam SMS Filtering
Another common tactic used by scammers is to deceive victims into clicking malicious links sent via SMS to obtain their sensitive data. IMDA has noted the commercial availability of technology that can identify and filter potential scam SMS messages within MNOs' networks before they are delivered.
IMDA is thus proposing that the same anti-scam filter solution be implemented by the MNOs in Singapore, which will be done in phases:
- Phase 1 – Filtering will be conducted by an automated process which cross-checks links in SMS messages against a database of known malicious links.
- Phase 2 – Filtering will be conducted by an automated machine learning process which seeks to identify suspicious patterns within the SMS message, such as keywords, phrases, and message formats commonly used in scam messages. As part of the machine learning process, there may be SMS messages that are identified by the machine as potential scams; such messages will then be anonymised by the machine and then routed to the MNO's technical personnel for further assessment.
The proposals in the consultation papers issued by IMDA seek to further protect Singapore users against SMS scams, and are part of IMDA's ongoing multi-layered approach to strengthen protection against scams. In particular, the implementation of the full SSIR regime is to ensure that the organisations behind the Sender IDs are clearly identified and reduce the risk of SMS scams via spoofing of Sender IDs.
Organisations, aggregators and MNOs should familiarise themselves with the new requirements sought to be implemented, as well as the proposed timelines for implementation.
We highlight that the proposed requirements may entail significant changes to organisations and aggregators who wish to handle SMS with Sender IDs to Singapore mobile users, especially those which are foreign-based. As noted in IMDA's consultation paper, there are today foreign-based aggregators that are not licensed by IMDA and are sending SMS with Sender IDs on behalf of foreign-based organisations to Singapore mobile users. This will no longer be allowed under the new requirements. Going forward, organisations and aggregators must ensure that they are working with locally registered entities. For multinational organisations who contract with global aggregators to send large numbers of SMS with Sender IDs (e.g. for authentication or verification purposes) to users all over the world, including Singapore, the proposed requirements may raise operational issues that you would like to submit feedback or invite clarification from IMDA on pursuant to this consultation.
MNOs should take note of the anti-scam solutions that are proposed to be implemented and assess their own systems and operations to ensure that such solutions can be duly and smoothly put in effect, and engage IMDA if there are potential challenges.
The consultations are open from 15 August 2022 to 9 September 2022. The full consultation paper on the full SMS Sender ID regime is available here, and the full consultation paper on the anti-scam filtering solutions is available here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.