In 2025, Singapore's Monetary Authority of Singapore (MAS) implemented the Shared Responsibility Framework (SRF), a set of rules governing how losses from certain phishing scams are shared between banks and their customers when money is lost to fraud.
The framework attracted significant attention when it was announced, and rightly so. It represents a meaningful shift in how Singapore's financial system approaches the question of who bears the cost when a customer is deceived into transferring money to a scammer. For retail banking customers, the SRF provides a clearer basis on which to seek restitution from their bank.
For business owners, however, the SRF requires careful reading. Its scope is more limited than the headline suggests, and the categories of payment fraud most likely to affect a Singapore SME fall largely outside the framework's coverage.
What the Shared Responsibility Framework actually covers
The SRF applies to unauthorised transactions arising from phishing scams conducted through digital channels. In plain terms: a retail banking customer receives a fraudulent SMS or email that appears to come from their bank, clicks a link, enters their banking credentials on a fake site, and money is transferred out of their account without their authorisation.
In this scenario, the SRF allocates responsibility between the bank and the customer based on whether each party fulfilled its obligations. The bank's obligations include maintaining anti-scam safeguards, implementing transaction monitoring, and providing kill switch functionality. The customer's obligations include not sharing credentials and not clicking suspicious links. Where the bank failed in its obligations, it bears the loss. Where both fulfilled their obligations and the fraud still occurred, there is a residual sharing arrangement.
This is a meaningful protection for individuals whose personal bank accounts are drained by phishing attacks. It is not a framework that addresses the fraud scenarios most relevant to business operations.
What the SRF does not cover
The SRF is explicitly scoped to phishing scams affecting retail banking customers. It does not cover the following.
Business-to-business payment fraud. When a business receives a fraudulent instruction to change a supplier's bank account details and makes a payment to the fraudster's account, this is not a phishing attack on the business's own bank account. The business authorised the payment. The bank processed an authorised instruction. The SRF does not apply, and the bank has no obligation under the framework to compensate the business for the loss.
Business Email Compromise (BEC) and Social Engineering Fraud (SEF). These are the fraud types most commonly affecting Singapore businesses. In a BEC or SEF scenario, a criminal impersonates a CEO, a supplier, or a finance contact and convinces an employee to transfer funds to a new account. The employee genuinely believes they are following a legitimate instruction. The bank receives an authorised payment instruction. The SRF does not respond to this scenario because the transaction was authorised by the account holder, even if that authorisation was obtained through deception.
The Singapore Police Force's advisory on Business Email Compromise issued in May 2026 noted that since 1 January 2026 alone, at least 66 BEC cases had been reported with losses of at least S$19 million. BEC scams that involve authorised payments are outside the SRF's scope regardless of how convincing the deception was. We covered BEC and SEF in detail in Business Email Compromise in Singapore.
Internal fraud and employee dishonesty. Commercial crime committed by an employee, including the theft of company funds, manipulation of payment systems, or diversion of client payments, is a separate category entirely from what the SRF addresses. You can read more about this in our post on Commercial Crime Insurance in Singapore.
Payments made outside the covered bank channels. The SRF covers transactions through the banks subject to MAS regulation. Cross-border payments, payments through non-bank platforms, and transactions that occur outside the scope of the framework's defined channels are not covered.
Why this matters for Singapore businesses
The SRF has created a degree of confusion in the market. Some business owners have interpreted its existence as meaning that scam losses are now, broadly, the bank's problem. They are not, and for business payment fraud specifically, the legal position has not fundamentally changed.
A business that makes an authorised payment in response to a fraudulent instruction has, in most cases, no contractual or statutory basis to recover that payment from its bank. The payment was authorised. The bank fulfilled its role. The loss belongs to the business.
This is precisely the exposure that Social Engineering Fraud (SEF) insurance is designed to cover. An SEF extension under a commercial crime policy responds where a covered employee was deceived by a fraudulent communication into transferring funds or assets. The employee's good faith is the key element: they were not acting dishonestly, they were manipulated. And that manipulation is what the SEF cover responds to.
The fact that the SRF does not cover this scenario makes SEF insurance more relevant for businesses, not less. The framework has clarified the boundary of what banks will absorb. Everything outside that boundary remains with the business.
The three-way picture
For a Singapore business with meaningful payment exposure, the coverage framework looks like this.
Where an employee makes a payment in response to a fraudulent external instruction, thinking they are following a legitimate instruction: this is an SEF claim. The SRF does not apply.
Where an employee deliberately misappropriates funds or makes unauthorised payments for their own benefit: this is a commercial crime claim. The SRF does not apply.
Where the business's own banking credentials are stolen through a phishing attack and money is taken from the account without the business authorising it: the SRF may apply to the extent the business holds a personal account at a covered bank, but business accounts and corporate banking relationships are typically governed by separate terms.
The practical takeaway is that the SRF provides a meaningful additional layer of protection for individual Singaporeans. For businesses, the pre-existing insurance framework, SEF cover and commercial crime insurance, remains the appropriate response to payment fraud exposure.
You can read more about our SEF cover and commercial crime cover on the products page. If you would like to understand how your business's payment processes and current insurance arrangements sit against these fraud risks, we would be glad to work through it with you.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.