AS scam numbers rise, “friction” is in – at least for local bank users and Central Provident Fund (CPF) Board members.
Recently, these organisations have added more steps, or what is known as friction, to verify users’ identities online and make them rethink their transactions.
In contrast, financial technology (fintech) services that offer fast payments with just a few clicks try to make the experience as swift and seamless as possible.
This means, they are far more relaxed about the way they caution, alert and protect customers here.
Also, by the end of 2023, users of fintech e-wallets in Singapore will have their spend and balance limits raised by up to four times. That means the stakes will be higher.
Is it time to introduce friction more consistently across the board, especially within the financial services sector, to stave off scams and costly mistakes?
My recent missteps on fintech firm Wise’s platform that led to losses of about S$700 in foreign exchange and conversion fees, showed me there are gaps and inconsistencies in the way fintech firms inform, warn and protect their users.
Unless plugged, these could pose problems down the road.
For a while, the focus was on making transactions as quick and convenient as possible. Friction, which clogs up online transactions with extra steps, was not considered desirable. But this compromised customer security amid rising scams.
The tipping point in Singapore came with the headline-grabbing case of scammers pretending to represent OCBC Bank. They swindled a total of S$13.7mil from 790 customers over a few weeks between December 2021 and January 2022.
This precipitated many new banking controls, and friction became fashionable again.
For instance, there is a 12-hour delay before a new banking software token providing two-factor authentication can be activated on a mobile device.
Kill switch
A kill switch in banking apps and websites has also been mandated to let customers immediately freeze their bank accounts if they suspect that these have been compromised.
Banks also have to alert users of the risks of adding a new payee and initiating transactions, and many do so through prompts and notices in their apps.
Most recently, scammers made away with CPF savings totalling S$124,000 across eight separate cases in the first half of 2023. Such losses were unheard of in the past.
In response, the CPF Board in late June started requiring some of its members using the Singpass authentication service to also scan their faces to log in to their accounts.
Explaining the new protection feature, the CPF Board said: “While this may make it less convenient for members to access CPF online services, we seek CPF members’ understanding that it might be better to be safe than sorry.”
We seem to have different levels of friction for online transactions in Singapore now. Institutions such as the CPF Board and the banks have raised the bar on customer protection measures.
On the other hand, many fintech firms cover only the basics – collect user identity data and require one-time passwords at registration to meet anti-money laundering regulations and the rules on countering the financing of terrorism.
The risks are arguably much lower for fintech users. The cap on fintech e-wallet balance is S$5,000 at the end of the day, and the yearly transfer limit is S$30,000 – significantly lower than what bank users can set.
But these caps will soon be raised. By the end of 2023, the Monetary Authority of Singapore (MAS) will increase the maximum funds that can be held in an e-wallet to S$20,000.
The maximum annual flow through the e-wallet will be raised to S$100,000. The Payment Services Act will be amended to facilitate the easing of restrictions.
Such easing calls for a tighter rein on how fintech firms inform, warn and protect users on their platforms as customers would have a lot more to lose if they made a mistake.
My own experience with Wise serves as a reminder of the risks of plunging into the brave new world of fintech services.
The mistake I made when I first used Wise in June was to assume that it would adequately inform me about transfer limits and risks. But the process was too smooth, and before I knew it, I became a few hundred bucks poorer.
The misadventure started when I was able to pay S$135,000 from my DBS app into my Wise account even though there is an MAS-imposed holding limit of S$5,000 at the end of each day on Wise wallet holders.
Information on the S$5,000 limit could not be found in the app. An e-mail notice came only after the payment was made. In the same e-mail, I was told to empty out the excess funds within two days or my account would be restricted from receiving or spending money.
When I finally got hold of a customer service representative, I asked why the S$135,000 transfer was processed despite the S$5,000 end-of-day balance limit.
The reply: “We do not restrict transfers above S$5,000 because you are in fact able to hold beyond S$5,000 in your Wise account.”
The reply made no sense to me. It would be less confusing if Wise had simply blocked incoming funds that exceed S$5,000 – the approach taken by GrabPay.
Blocking excess
Wise could also temporarily block excess incoming funds until the recipient acknowledges the end-of-day holding limit.
One mistake led to another. My second mistake: I converted S$135,000 to British pounds. When I initiated an overseas transfer, the payment was blocked. It was then that I was told of the annual S$30,000 spend limit.
Since I had busted both the balance and spend limits with a single transfer, why did Wise process the conversion of S$135,000 to British pounds?
Surely, an algorithm could have detected the anomaly and issued a warning. The app could also have taken the necessary steps to block the conversion since I would not be able to remit the money or keep it in my Wise wallet.
By that time, the only option for me was to convert the British currency to Singapore dollars and send it back to my DBS Bank account. The action set off another round of conversion fees.
Wise waived my first conversion fee, but it did not waive the second one. Therefore, I lost a total of about S$700, including from the poor foreign exchange rates.
My costly mistake could have been avoided if Wise had added ample information, warning and confirmation dialogues in the app to apprise me of the balance and spend limits.
Automated safety mechanisms could also have kicked in to block transactions that are affected by the caps.
Confirmation dialogues make sure users stop to think through what they are doing.
I’ve not heard any complaints about the delete confirmation dialogue box, “Are you sure you want to permanently delete this file?”, in Windows computers when one clears the recycle bin, because people understand that these speed bumps prevent accidents.
Banks have become very good at building these dialogues.
Adding a new payee in the DBS banking app will set off this warning: “Do you really know the individual/organisation you are adding as a recipient? Could fraudsters be using a new tactic to trick you into sending them money? If in doubt, do not proceed.” — The Straits Times/ANN
Irene Tham is tech editor for The Straits Times Singapore. The views expressed are the writer’s own.
