Singapore's Shared Responsibility Framework Bites: Real-Time Fraud as a Decisioning Problem

Singapore has done something most scam-response regimes have avoided: it has attached money to the duties. Under the Shared Responsibility Framework (SRF), financial institutions that fail their defined obligations can bear the financial loss when a customer is defrauded by a phishing scam. For Heads of Fraud and Chief Risk Officers across Australia, New Zealand and South-East Asia, the SRF is worth studying not as a Singapore-specific rule but as a preview of where accountability for scam losses is heading regionally, and of the operational capability it demands.

What the SRF actually requires

The SRF took effect on 16 December 2024, setting out duties for financial institutions and telcos and a waterfall of liability when those duties are breached and a customer suffers a phishing-scam loss. The framework’s logic is deliberate: liability follows duty. An institution that meets its obligations is not on the hook; one that fails them can be.

A duty that came slightly later sharpens the operational edge. The fraud-surveillance duty took effect from 16 June 2025, obliging responsible institutions to detect and act on suspicious, rapid draining of accounts. Then from 15 October 2025, Singapore’s major banks introduced enhanced safeguards under which single-day digital transfers exceeding 50% of an account’s balance are automatically held or blocked for accounts holding at least S$50,000, with a hold giving the customer time to review before funds move.

Read together, these duties do something subtle but profound: they move the bank’s obligation from after the fact (reimburse, investigate) to in the moment (detect, hold, block while the transfer is in flight).

Fraud is now an in-flight decision

That in-the-moment obligation is what reframes fraud as a decisioning problem rather than a reporting one. A surveillance duty that requires holding or blocking a high-velocity outflow cannot be satisfied by overnight batch analytics or a next-day alert queue. The decision, accept, hold, or block, has to be made on the transaction as it happens.

This places fraud teams in the same operational reality that real-time credit decisioning has lived in for years, and surfaces the same hard trade-offs:

• Latency. The accept/hold/block decision must resolve within the transaction window, not after it.
• False positives. A 50% threshold is a blunt instrument; legitimate large transfers, a house deposit, a business payment, will trip it. Over-blocking erodes trust and floods support channels.
• Context. The same outflow can be benign or catastrophic depending on the account’s history, the destination, recent authentication events and behavioural signals. A rule alone cannot tell them apart well.
• Explainability. When a transfer is held or a loss is contested under a liability framework, the institution must be able to show why the system acted, or did not.

The institutions that handle this well are not the ones with the strictest rules. They are the ones that can combine rules with risk scoring and context in real time, hold the genuinely suspicious, and let the legitimate through with minimal friction.

It is worth being precise about what the threshold rule is and is not. A blanket “hold transfers over 50% of balance” control is straightforward to implement but expensive in customer experience, because legitimate large movements are common at exactly the account sizes the rule targets. The harder, and more valuable, capability is to treat the threshold as one signal among many: combining it with the destination account’s history, the recency of authentication and device changes, behavioural patterns and known scam typologies to decide whether a given outflow warrants a hold, a step-up challenge, or a clean pass. That is the difference between a control that protects customers and one that merely inconveniences them.

The regional read-across

Singapore is ahead, but it is not alone in direction. Australia’s Scams Prevention Framework came into force on 21 February 2025, establishing enforceable, sector-wide obligations to prevent, detect, disrupt and respond to scams across banks, telcos and digital platforms. The mechanisms differ from the SRF, but the through-line is the same: regulators increasingly expect institutions to act on scam signals in real time, and increasingly tie accountability to whether they did.

For ANZ and South-East Asian lenders and banks, the lesson is to build the capability before the duty arrives, not after. Specifically:

• Treat the accept/hold/block decision as a first-class, real-time decision with its own latency budget and governance.
• Pair velocity rules with context and risk scoring to keep false positives survivable.
• Capture the reasoning behind every hold and release, so contested losses and regulatory queries can be answered with evidence.
• Stress-test customer-friction pathways now, a blocked legitimate transfer is a customer-experience and reputational event, not just a fraud control.

Where Credisense fits

A surveillance duty that demands accept/hold/block in flight, at scale, with low false positives and a defensible record is, structurally, a real-time decisioning problem, the discipline Credisense was built around. Real-time decision orchestration that blends rules, scoring and context, an explainable and captured decision trail behind every hold or release, and sense.AI for consistent, transparent decision support let fraud and risk teams act in the moment and explain the action afterwards.

Singapore’s framework will keep evolving, and the precise thresholds may change. But the shape of the obligation, decide on the transaction while it is happening, get the false-positive rate low enough to live with, and be able to show your reasoning, is the shape fraud operations across the region should be building toward now.