Singapore – In the bid to further scam-proof all customer communications through SMS, Infocomm Media Development Authority (IMDA), Singapore’s watchdog for information and communications, has decided to finally make the registration of Sender IDs for SMS mandatory for organisations. 

A pilot SMS Sender ID Registry was first initiated in August 2021, however, with the surge in scams using SMS, IMDA accelerated the setting up of the Singapore SMS Sender ID Registry or SSIR in March this year, where SMS that spoofed or made use of registered IDs on the SSIR were blocked upfront, reducing the risk of scams.

The IMDA said that while SSIR has had an impact, in particular, SMS scam cases declining threefold, it remains to be a voluntary system, and thus concerning the board that this remains to give way for risks of spoofed SMS towards the public. 

“To build stronger scam prevention capabilities, we intend to make SSIR registration a requirement for organisations that use Sender IDs (i.e., a full registration regime). Therefore, only registered Sender IDs will be allowed. All other non-registered Sender IDs will be blocked as a default. This further safeguards SMS as a communication channel,” said IMDA in its official statement. 

Moving forward with the implementation, merchants and organisations that use SMS Sender IDs must register with the SSIR using their Unique Identity Number (UEN), and aggregators who wish to handle SMS with Sender IDs must participate in the SSIR and verify merchants/organisations sign-ups through their UENs

The IMDA said that the said requirements will provide better assurance that only bonafide merchants are using Sender IDs. As a start, the proposed solutions can detect malicious links within the SMS that lead to scam websites; and telcos can then develop solutions to identify patterns of suspicious scam messages and filter them accordingly.

The transition period for orgs will start from October 2022, before the full SSIR registration requirement commences in end-2022.

It would be remembered that at the beginning of the year, regulators in Singapore, particularly its financial authorities MAS and ABS, were urged to encourage banks to scrap clickable links in customer emails and SMS. This followed the OCBC catastrophe in Singapore wherein a phishing scam had nearly 500 customers losing their money amounting to at least S$8.5m.