Let’s Work Together To Protect Your Account

What is an Account Holder?

An Account Holder means any person in whose name a payment account has been opened or to whom a payment account has been issued, and includes a joint account holder and a supplementary credit card holder.

What is an Account User?

An Account User means:

1. any account holder; or
2. any person who is authorised in a manner in accordance with the account agreement, by the responsible FI and any account holder of a protected account, to initiate, execute or both initiate and execute payment transactions using the protected account.

What is an Access Code?

An Access Code means a password, code or another arrangement that the account user must keep secret, that may be required to authenticate any payment transaction or account user, and may include any of the following:

1. personal identification number, password or code;
2. internet banking authentication code;
3. telephone banking authentication code;
4. code generated by an authentication device;
5. code sent by the responsible FI by phone text message such as Short Message Services (“SMS”),

but does not include a number printed on a payment account (eg. a security number printed on a credit card or debit card).

What is an Authentication Device?

An Authentication Device means any device that is issued by the responsible FI to the account user for the purposes of authenticating any payment transaction initiated from a payment account, including a device that is used to generate, receive or input any access code.

What are High-risk activities?

High-risk activities include, but are not limited to:

1. adding of payees to the account holder’s payment profile;
2. increasing the transaction limits for outgoing payment transactions from the payment account;
3. disabling transaction notifications that the responsible FI will send upon completion of a payment transaction; and
4. change in the account holder’s contact information including mobile number, email address and mailing address.

What is a Payment Transaction?

A Payment Transaction means the placing, transfer or withdrawal of money, whether for the purpose of paying for goods or services or for any other purpose, and regardless of whether the intended recipient of the money is entitled to the money, where the placing, transfer or withdrawal of money is initiated through electronic means and where the money is received through electronic means.

What is a Protected Account?

A Protected Account means any payment account that:

1. is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
2. is capable of having a balance of more than S$1,000 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility;
3. is capable of being used for electronic payment transactions; and
4. where issued by a relevant payment service provider is a payment account that stores specified e-money.

What is a Transaction Notification Threshold?

A Transaction Notification Threshold means:

1. the threshold for transaction alerts set by the account holder; or
2. if the account holder did not set any threshold for transaction alerts, the default industry-baseline transaction notification threshold.

What is an Unauthorised Transaction?

An Unauthorised Transaction* in relation to any protected account, means any payment transaction initiated by any person without the actual or imputed knowledge and implied or express consent of an account user of the protected account. This includes “seemingly authorised transactions” as defined in the Guidelines to the Shared Responsibility Framework.

* Examples of payment transactions that do not fall within the scope of unauthorised transactions:

1. The account user knew of and intended to make the payment transaction, notwithstanding that the transaction could have arisen as a result of falling victim to a scam (eg. e-commerce, government official impersonation, job, investment or love scams);
2. The transaction was performed by a person as a result of the account holder sharing access and usage of their devices with the person, or storing the person’s biometrics identities on their devices. The account holder is deemed to have consented to the use of his account by this person.

 
 

To protect your account(s) with HLF, you shall:

1. Provide contact information, opt to receive all outgoing transaction notifications and monitor notifications
   • Provide latest contact information including a Singapore mobile number (for SMS alerts) or an email address (for email alerts).
   • Enable notification alerts via SMS, email or in-app notification for outgoing transactions, digital security token activations, and high-risk activities.
   • Monitor these alerts regularly to detect any unauthorised or erroneous activity.

   Note: If the protected account is a joint account, the account holders shall jointly give instructions to HLF on whether HLF should send transaction notifications to any or all the account holders. HLF may assume that you will monitor these notification alerts without further reminders or repeat notifications.

2. Protect your access codes
   • Never share your access codes with anyone, including but not limited to any HLF staff or government officials.
   • Avoid displaying or storing access codes in any recognisable form on payment accounts, authentication devices, or containers related to your account.
   • Store your access codes securely in a location that only you can access and that is not easily discoverable by others.

3. Secure all access to your account(s)
   • Download the HLF Digital mobile application only from official sources (i.e. Apple App Store, Google Play Store);
   • Update your device’s browser (e.g. Chrome, Safari, Internet Explorer, Firefox) to the latest version available;
   • Patch the device’s operating systems (e.g. Windows operating system (OS), Macintosh OS, iOS, Android OS) with regular security updates provided by the operating system provider;
   • Install and maintain the latest anti-virus software on the device, where applicable (periodic updates, patches, version releases initiated by the antivirus software providers from time to time);
   • Use strong passwords, such as a mixture of letters, numbers or strong authentication methods made available by the device provider such as facial recognition or fingerprint authentication methods;
   • Do not root or jailbreak the devices used; and
   • Do not download and install applications from third-party websites outside official sources (“sideload apps”), in particular unverified applications which request device permissions that are unrelated to their intended functionalities.

   You should inform all account users of the security instructions or advice provided by HLF. An account user should, where possible, follow the security instructions or advice provided by HLF.

4. Review any content accompanying access codes before proceeding with payment transactions or high-risk activities

   Read the messages containing access codes (e.g. One Time Password (OTP) sent via SMS or email) and verify the intended recipient for your payment or activity before completing any transaction or high-risk activities.

5. Refer to official sources to obtain HLF’s website addresses and phone numbers
   • Use official sources such as the MAS Financial Institutions Directory (FID), HLF’s mobile app, or website for HLF’s website address and phone number.
   • Always contact HLF using the verified phone numbers and website addresses from official sources.
   • Do not click on links or scan Quick Response (QR) codes that claim to be from HLF unless you are expecting to receive specific information about our products or services. These links or QR codes should not lead you to provide access codes, authorise payment transactions, or engage in any high-risk activities. If you are unsure, please contact HLF directly to verify the authenticity of the communication.

6. Understand the risks and implications of performing high-risk activities
   • Read the risk warning messages before confirming or proceeding with any high-risk activities.
   • Visit the HLF website for more information before you perform these activities, if you do not understand the risks and implications involved.
   Note: By proceeding with high-risk activities, you are deemed to have understood and accepted the risks as communicated.

7. Report unauthorised activities on your protected account
   • Report any unauthorised activity such as transactions, high-risk activities, or activation of a digital security token not initiated or consented to by you to HLF no later than 30 calendar days from the date you receive a notification alert regarding the activity.
   • Report any unauthorised transaction at any HLF Branch, or via HLF’s 24-hour Hotline at 6579 6777. If you are unable to report it promptly or within the 30 calendar days period, we would need you to provide the reason(s) for the delay if we requested for it.

8. Activate self-service feature Kill Switch

   Activate the Kill Switch as soon as practicable to immediately block further mobile and online access to your protected account to help prevent further unauthorised activity, if you believe your account has been compromised or if you are unable to contact HLF.

   Please refer to HLF Digital FAQ for more information on how to activate Kill Switch.

9. Provide information on unauthorised transaction
   

   Provide HLF with relevant details as soon as possible to facilitate our investigation of the unauthorised transaction. Information may include:

   • The affected HLF account (s),
   • The affected account(s) with other banks or financial institutions,
   • Your identification information,
   • Name or identity of any account user for your account,
   • Type of authentication device used to perform the payment transaction,
   • Whether your account, authentication device, or access code has been lost, stolen, or misused without your permission,
   • How your access code was stored or shared,
   • Any other information about the unauthorised transaction.

10. Make a police report
    

    Make a police report as soon as practicable to facilitate HLF’s claims investigation process, or if you suspect that you are a victim of a scam or fraud, even if no transactions have been made on your account.

    Note: Please provide the police report to HLF within 3 calendar days of our request to help facilitate our investigation process.

 
 

To protect your account(s) with HLF, we shall:

1. Not send clickable links or QR codes via email or SMS, or phone numbers via SMS to you

   We will not do the above unless:

   • The link or QR code only contains information for you and does not lead you to a (i) website where you provide your access codes or perform any payment transaction or (ii) platform where you are able to download and install apps; and
   • You are expecting to receive the email or SMS from HLF.

2. Update contact details

   We will ensure HLF’s website address is listed on MAS’ FID, and HLF’s contact details reflected on MAS’ FID and other official sources are up to date.

3. Impose cooling off period for high-risk activities

   We will impose a 12-hour cooling off period for such activities:

   • Activate a digital security token;
   • Log-in using a new device; and
   • Perform high-risk activities (add Payee, increase transaction limit for outgoing transactions, disable transaction notifications and change in contact details such as mobile number and email address).

   You should inform all account users of the security instructions or advice provided by HLF. An account user should, where possible, follow the security instructions or advice provided by HLF.

4. Inform you of the risks and implications of performing high-risk activities

   We will inform you of the risks and implications of performing high-risk activities and obtain additional confirmation from you, at the point before you perform the high-risk activities.

5. Provide real-time notification alerts for activation of digital security token and conduct of high-risk activities

   We will provide real-time notification alerts to you, with relevant details, based on the instructions given by you to receive such notification alerts. The notification alerts will contain a reminder for you to contact HLF if you did not perform those activities.

6. Provide real-time notification alerts for outgoing transactions

   We will provide real-time notification alerts to you based on the instructions given by you to receive such notification alerts. The notification alerts will contain relevant details to enable you to identify the particular transaction(s).

7. Comply with your instruction

   We will comply with your instruction on whether or not to receive notification alerts for all or some outgoing transactions.

8. Provide information on adjustment to transaction notification settings

   We will make information available either at our website or HLF Digital app on how you can adjust the transaction notification settings. We will explain how your liability may be affected by your transaction notification preferences and how your claims may be resolved.

9. Provide self-service Kill Switch feature to immediately block further access to your account

   We will provide a Kill Switch feature for you to immediately block further mobile or online access to your account at any time of the day, if you believe your account has been compromised or if you are unable to contact HLF.

   Please refer to HLF Digital FAQ for more information on how to activate Kill Switch.

10. Provide information to identify payment recipients

    We will provide relevant information accompanying the access codes sent to you for you to identify the payment recipients.

11. Provide recipient credential information

    We will provide you the relevant information to confirm a payment transaction and the recipient credentials before you execute a payment transaction.

12. Provide reporting channel

    We will provide a HLF reporting channel available to you at all times to report any unauthorised or erroneous transactions, and to activate Kill Switch.

13. Implement real-time fraud surveillance

    We will implement a real-time fraud surveillance system to detect and manage suspected unauthorised transactions at all times.

14. Schedule system downtime during expected low volume of transactions

    We will provide continued delivery of key services and alternatives during a scheduled system downtime, where applicable. We will not schedule such system downtimes during periods where a high volume of transactions is expected.

To manage your claims lodged with HLF, we shall:

1. Institute investigation process
   • We will have a proper governance structure and investigation process to assess claims made by you in relation to any unauthorised transactions.
   • We will communicate the process and assessment to you in a timely and transparent manner.

2. Credit your account with losses

   We will credit your account with the losses as soon as possible if we concluded that you are not liable for any loss arising from the unauthorised transaction(s).

   Note: You will be liable for your loss if it was due to your recklessness, i.e you did not carry out your responsibilities as stated in “What are your duties as an Account Holder and Account User?”

To manage erroneous transactions, we shall:

1. Make reasonable efforts to recover the amount sent or received in error

   We will initiate reasonable efforts to recover the amount sent or received in error by you.

To handle any disputed investigation, we shall:

1. Institute a dispute resolution process
   • We will have a proper dispute resolution process if you do not agree with our investigation outcome to your claims.
   • We will make available all our reporting channels for you to raise the disputed investigation outcome.

2. Withhold/waive charges relating to disputed transactions
   • We will withhold/waive charges on your disputed transactions until the completion of our investigations.
   Note: This would also cover the period of (i) up to 30 calendar days after our investigations have been completed and communicated to you, and (ii) commencement of dispute resolution with the Financial Industry Disputes Resolution Centre (FIDReC) till completion of mediation and/or adjudication by FIDReC or case closed by FIDReC due to prolonged inactivity.
3. Disclose charges relating to recovery of unauthorised transactions

   We will disclose any charges or costs related to the recovery of the unauthorised transaction amount (eg agent fees, professional fee, arbitration charge, etc) to be borne by you.