E-Payments User Protection Guidelines & FAQs

The Monetary Authority of Singapore (“MAS”) has issued the E-Payments User Protection Guidelines (“Guidelines”) to protect users of electronic payments and encourage wider adoption of e-payments in Singapore.

The Guidelines establish a common baseline protection that financial institutions (“FI”) will provide to individuals and sole proprietors from losses arising from unauthorised or erroneous e-payment transactions from their protected accounts.

Check out the frequently asked questions (“FAQs”) below in relation to the Guidelines.

The information below is only meant to serve as a guide and is not exhaustive. For the most complete and up-to-date details, please take a moment to read and understand the latest E-Payments User Protection Guidelines issued by MAS available at https://www.mas.gov.sg/regulation/guidelines/e-payments-user-protection-guidelines .

Frequently Asked Questions

1. What is the purpose of the E-Payment User Protection Guidelines?

The Guidelines set out the responsibilities of what the FI and account holders must do in relation to protected accounts maintained with WorldFirst and the liability for losses arising from unauthorised or erroneous payments transactions. It also helps establish a baseline protection for losses arising from such transactions.

You can read about the Guidelines listed down by MAS: www.mas.gov.sg/regulation/guidelines/guidelines-for-e-payments-user-protection

2. What is a protected account?

A protected account is a payment account that:

• is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
• is capable of having a balance of more than S$1,000 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility;
• is capable of being used for electronic payment transactions; and
• where issued by a relevant payment service provider is a payment account that stores specified e-money*.

3. How do the Guidelines protect me?

The Guidelines set out your responsibilities as an account holder or account user of a protected account. These include how you should protect your device, login credentials, access codes and protected accounts.

We will provide you with notification alerts and a reporting channel so that you may be alerted of unauthorised transactions and report them should they happen.

We will investigate claims of unauthorised transactions, with the aim of achieving a fair and reasonable resolution.

The Guidelines do not apply to transactions which you initiated because of a scam or fraud. If you suspect or have reason to believe that you are a victim of a scam or fraud, you are advised to lodge a police report for police investigations.

4. What are your duties as an account holder/account user?

The Guidelines set out your duties as a protected account holder or account operator to adopt good security practices. These include:

1. 1. Ensuring that your contact information (e.g. mobile number and email address) are complete and accurate at all times so that we can send you notification alerts.
   2. Enabling notification alerts on your device(s) used to receive such alerts.
   3. Monitoring your notification alerts and reporting to us as soon as possible if you become aware of any unauthorised or erroneous transaction(s).
   4. Safeguarding your access credentials to your protected account (such as your password, security code, PIN, OTP or any other credentials used to authenticate your identify and/or initiate or execute any payment transaction) by not performing any of the following:

1. 1. 1. Voluntarily disclosing any access credentials to any third party (including WorldFirst’s employees);
      2. Disclosing the access credentials in a recognisable way on any payment account, authentication device or any container for the payment account; or
      3. Keeping a record of any access credentials in a way that allow any third party to easily misuse the access credentials.

1. 5. Making reasonable efforts to secure any record of any access credentials by keeping the record in a secure electronic or physical location accessible or known only to the account operator and keeping the record in a place where the record is unlikely to be found by a third party.
   6. Practicing good digital security hygiene by ensuring that:

1. 1. 1. You only download and use our WorldFirst’s mobile application from the official app stores (e.g. Apple App Store, Google Play Store).
      2. Your device’s browser is updated to the latest version;
      3. Your device’s operating system is patched on a regular basis with security updates provided by your device’s operating system provider;
      4. Your device has the latest anti-virus and anti-malware software installed and is regularly maintained through updates;
      5. Your password protection is strong through a mixture of alphabets and numbers with a minimum of 8 characters or use of strong authentication method made available by the device provider such as facial recognition or fingerprint authentication methods. Passwords should not be repetitive and easy to guess;
      6. You do not root or jailbreak the devices used; and
      7. You do not download and install applications from third-party websites outside official sources (“sideload apps”), in particular unverified applications which request device permissions that are unrelated to their intended functionalities.

1. 7. (where applicable) Informing all your protected account operators of the security instructions or advice provided by us and where possible, following the security instructions or advice provided by us.
   8. Reading and verifying the content sent with access codes before completing payment transactions or high-risk activities.
   9. Only referring to official sources (i.e., MAS Financial Institutions Directory) to obtain the contact details (i.e., email address and phone number) of WorldFirst
   10. Not clicking on links or scan QR codes purportedly sent by WorldFirst unless the links are to solely provide information to you such as regulatory requirements (i.e., Terms and conditions), product description, steps to execute a transactions etc.
   11. Understanding the risk and implications of performing high-risk activities.
   12. Reporting any unauthorised activities or erroneous transactions to WorldFirst as soon as practicable upon your receipt of any notification alerts or otherwise becoming aware; and providing the required information on unauthorised transaction as requested by WorldFirst and lodging a police report if we require such a report to be made to facilitiate our claims investigation process
   13. where WorldFirst provides a self-service feature Activating the self-service feature to promptly block further mobile and online access to your protected account

5. What are the duties of WorldFirst?

We will ensure that:

• we inform every account holder and account operator of a protected account of their user protection duties;
• we impose a 12-hour cooling period where high-risk activities cannot be performed when there is a login to protected account on new device;
• we inform every account holder and account operator of a protected account of the risks and implications of performing high-risk activities;
• we provide a self-service feature (Kill Switch) for every account holder to promptly block further access to a protected account;
• we send outgoing notification alerts to every account holder on a real time basis for each transaction and whenever a high-risk transaction is performed by way of SMS and/or email;
• we provide the required information accompany the access code through the One-Time Passwords sent via SMS to allow the account holder of a protected account to identify payment receipient;
• we provide an onscreen opportunity for you to check the receipient credentials before executing any authorised payment transaction;
• we have capabilities in place to detect and block suspected unauthorised transactions at all times;
• we provide you with a reporting channel for the purposes of reporting any unauthorised or erroneous transaction(s);
• we will assess any claims you make in relation to any unauthorised transaction and complete the claims investigation.

6. What payment transactions are covered by the Guidelines ?

All payments initiated from protected accounts through electronic means (other than payments you initiated because of a scam or fraud), and funds received to protected accounts through electronic means, such as online payments and transfers, are covered by the Guidelines.

7. What are transaction notifications alerts for?

The notifications safeguard you against unauthorised and erroneous transactions. They are to alert you of such transactions on a timely basis so that you may report them to us as soon as possible.

8. What are considered as high-risk activities?

High-risk activities include, but not limited to:

• Adding of payees to the account holder’s payment profile;
• Change in the account holder’s contact information including mobile number, email address and mailing address; and
• Disabling transaction notifications that will be sent upon completion of a payment transactions.

9. How can I report an unauthorised activities and/or erroneous transaction?

You will need to contact our team via email [email protected] or +65 6805 4380. Our service hour is 9am to 6pm SGT (Mon – Thurs) and 9am to 5pm (Fri).

Our team will verify your identify, your protected account and the transaction in order for us to commence investigations and update you.

[For Singapore Sole Proprietor] If you are a victim of scam or suspect your World Account and/or World Card(s) have been compromised, you can use the portal or APP to activate the Kill Switch immediately which is a security feature that allows you to instantly suspend access to your World Account and/or World Card and certain payment transactions. More details: https://www.worldfirst.com/sg/help-center/account-management/kill-switch/