Singapore is still working on rules to strengthen social media enforcement

Singapore is still considering new rules which, among other things, will order social media platforms to disable access to content they deem harmful. However, this will not prevent the use of hyperlinks in SMS or other messaging applications, as it will not eliminate the risk of someone falling prey to phishing attacks.

Last month, the Ministry of Communications and Information (MCI) said it was working on two proposed codes of practice aimed at improving the safety of social media users in the country. The first would require social media service providers to adopt upstream “system-wide” processes to enhance the online safety of their users, especially young people.

The second code of practice would empower industry regulator Infocomm Media Development Authority (IMDA) to order social media platforms to cut off access to specific “flagrantly harmful content” that remained available despite the company’s content moderation systems. these operators. The government deemed this content to include sexual abuse, self-harm, public safety, as well as racial or religious intolerance.

The new enforcement framework would give IMDA the power to order any social media service accessible from Singapore to block access to specific types of harmful content or ban specific online accounts from communicating that content or engage users in the country.

The ministry noted that while these services have made efforts to address the issue, it is concerned that online harms will continue to prevail and will be compounded when amplified on social media.

The MCI said this week in a written parliamentary response that governments around the world are also looking for ways to effectively regulate social media services.

“As with all forms of regulation, non-compliance should result in enforcement action. MCI has studied relevant international regulatory models and provisions under existing local laws. We will provide details of the enforcement framework in due time,” the ministry said.

Various measures needed to mitigate phishing threats

As it mulls new regulations for social media, Singapore has taken more concrete steps to mitigate the risks stemming from embedded hyperlinks in text messages and other messaging platforms.

In January, the government said it was reviewing the public sector’s use of text messages and clickable links to interact with the public as part of efforts to combat phishing scams. The move came after SMS phishing scams involving OCBC Bank customers, where scammers manipulated SMS sender ID details to direct victims to phishing websites, surfaced. resulted in losses of over SG$8.5 million. Banks were then instructed to remove hyperlinks from emails or text messages sent to consumers.

In its parliamentary response this week, the Smart Nation Digital Government Group (SNDGG) said it had assessed the use of links by government agencies and determined that removing them from text messages, emails or other platforms messaging would not eliminate the risk of users falling prey to phishing attempts.

To further mitigate these threats, it would instead implement detection and prevention measures at the backend level and educate users on how to protect themselves from the perpetuation of such scams through the use of hyperlinks.

Elaborating on the backend measures, SNDGG said the government would only use domains ending in “” when sending SMS messages with links. However, there were exceptions where government agencies collaborated with other organizations and other websites could be used. These sites would be listed online so that users could check unknown websites before interacting with them.

SNDGG added that the Singapore SMS Sender ID Registry was established in March 2022 to block SMS messages that spoofed the sender IDs of targeted entities, including government agencies and banks. To date, more than 50 organizations have signed up for the registry, along with all “gradually integrated” government agencies.

The government was still considering whether it would be necessary to require all users of alphanumeric sender IDs to participate in the registry.

Telecom operators were also implementing capabilities in their networks to block fraudulent messages and calls, including robocalls and anyone spoofing numbers from local government agencies and emergency services, SNDGG said. He said the government had also implemented multi-factor authentication – including the use of biometrics – on SingPass, which residents needed to access government services online.

Additionally, plans were underway to launch a WhatsApp channel for the National Crime Prevention Council in the third quarter. This would allow citizens to report suspected scams more quickly and enable the government to “collect information” and respond to fraudulent websites and messages, the SNDGG said.

He added that IMDA is also working with the Singapore police to identify and block suspected scam websites. Some 12,000 suspected fraudulent websites were blocked last year.

Misconfigurations are the number one cause of digital banking disruptions

Scams aside, errors have been the biggest cause of online banking disruptions over the past year.

Four retail banks – Citibank Singapore, DBS Bank, OCBC and United Overseas Bank (UOB) – have reported eight disruptions to their digital banking services since July 2021. Most resolved within three hours, the incidents affected an average of 12,000 customers , said Tharman Shanmugaratnam, Chief Minister of Singapore and Minister responsible for the Monetary Authority of Singapore (MAS) in his parliamentary response this week.

The longest disruption, lasting 39 hours, involved DBS in November last year, which was later attributed to a malfunction in the bank’s access control servers.

While one disruption was linked to an outage at a third-party cloud service provider, Tharman said the banks themselves were primarily to blame for these incidents. The minister highlighted software misconfigurations, system malfunctions and errors that were introduced when banks made changes to the system.

MAS required all banks to be able to recover systems supporting critical banking services, such as funds transfers and payments, within four hours of any disruption. The total unscheduled downtime for each critical system must also not exceed four hours in a 12 month period.

Tharman said MAS would take supervisory action when banks violate these requirements.

DBS, for example, was tasked with engaging an independent expert to conduct a review of the bank’s service disruption, including bank checks and recovery actions and preventative measures for similar incidents at the bank. ‘coming.

DBS also had to correct any shortcomings identified during the review and implement measures to ensure that any future disruptions to its digital banking services were resolved quickly and adequately, Tharman said.

“Recent incidents highlight the need for banks to continually review their IT resiliency strategy and ensure there is sufficient redundancy and fault tolerance built into their digital banking IT infrastructure,” wrote The Minister. “Fast systems diagnosis and recovery, coupled with robust business continuity management, are essential to minimizing the impact of an IT disruption.”

He added that the MAS has introduced business continuity management guidelines which outline the measures that financial institutions should use to maintain critical business services and minimize service disruptions. With cloud adoption increasing the industry’s exposure to third-party risk, MAS has also highlighted these risks as a key area for financial institutions to focus on in both the BCM’s guidelines and its guidelines. technology risk management.