E-Payments: User Protection Guidelines and FAQs

It sets out the responsibilities of what the Bank and accountholders (i.e. UOB and its customers) must do in relation to protected accounts maintained with UOB and the liability for losses arising from unauthorised or erroneous payment transactions. It also helps establish a baseline protection for losses arising from such transactions.

A protected account means any payment account that

1. is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
2. is capable of having a balance of more than S$1,000 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility; and
3. is capable of being used for electronic payment transactions.

For UOB customers, protected accounts include a UOB Savings Account, UOB Current Account, UOB CPF Investment Account, UOB SRS Account, UOB CashPlus and UOB Credit/Debit Cards.

You shall be responsible for the following:

a) Monitor all your transaction-related notifications

• Make sure to provide UOB with your latest Singapore mobile number and email address. If there are changes to your contact details, update us promptly.
• Ensure that you opt in to receive all notifications.
• Make sure the phone or device you are using can receive transaction notifications from UOB in real time.
• Monitor all notifications and alerts you receive from UOB promptly without further reminders or repeat notifications.

b) Protecting your access codes

• Never share your access code with anyone else, including any UOB staff, staff from other banks, or government officials.
• Do not disclose the access code in a recognisable way on any payment account, authentication device, or any container for the payment account (e.g. eWallets).
• Keep your access code safe at all times – if you write it down or have it saved somewhere, make sure it’s in a secure location and that no one else can access it.

c) Ensure that you secure all access to your account(s)

You should at the minimum:

• Download UOB TMRW App only from official sources (e.g. Apple App Store, Google Play Store).
• Update your device’s browser (e.g. Chrome, Safari, Internet Explorer, Firefox) to the latest version available.
• Patch the device’s operating systems (e.g. Windows operating system (OS), Macintosh OS, iOS and Android OS) with regular security updates provided by the operating system provider.
• Install and maintain the latest anti-virus software on the device, where applicable.
• Use strong passwords (e.g. a mixture of letters, numbers and symbols) or strong authentication methods made available by the device provider (e.g. facial recognition or fingerprint authentication).
• Do not root or jailbreak the devices you use.
• Do not download or install applications from third-party websites outside official sources (“sideload apps”), especially unverified apps that request device permissions unrelated to what you plan to use them for.

You (as the accountholder) and your account users shall be responsible for following the latest security guidelines published by UOB, which UOB may update from time to time. As the accountholder, you must also inform all your joint accountholders and your account users of the latest security guidelines published by UOB.

d) Reading content of messages containing the access codes before completing payment transactions or high-risk activities.
Read the messages that come with access codes (e.g. OTPs sent via SMS or push notifications sent via UOB TMRW App). Make sure the action you are about to take or the recipient of your payment is correct before completing it with the access code.

e) Referring to official sources to obtain UOB’s website addresses and phone numbers

• Refer to official sources, e.g. the MAS’ Financial Institutions Directory, UOB TMRW App or the back of UOB Cards, e.g., credit card, debit card (“official sources”) for UOB’s website addresses and phone numbers
• Contact UOB only through contact details from official sources.

f) Links and QR Codes

Do not open any links or scan any QR codes that appear to be sent from UOB – for security reasons, we will not be sending you any links or QR codes, unless you have asked us for such links or QR codes.

g) Understanding the risks and implications of performing high-risk activities

Read the risk warning messages from UOB before confirming any high-risk activities.

If you do not understand the risks and implications of these high-risk activities, you may find out more information from UOB’s website before you perform these activities.  You are taken to have understood the risks and implications of these activities if you proceed to perform them.

h) Reporting unauthorised activities on your account(s)

You must report any unauthorised transactions to UOB within 30 calendar days after receiving the relevant notification or alert for it (e.g. actions that are not initiated by you or with your consent for payment transaction, high-risk activities or the activation of a digital security token.).

Report any unauthorised transaction at any UOB branch, or via UOB’s 24-hour Fraud Hotline at 6255 0160. If you submit a report late (after 30 calendar days), we may need you to provide reasons for the delay.

i) Activating self-service feature (“kill switch”)

If you are notified of an unauthorised transaction and suspect your account(s) has been compromised or if you are unable to contact UOB, activate the kill switch provided by UOB as soon as you can. This will block further mobile and online access to your account(s).

The kill switch is available via UOB’s 24-hour Fraud Hotline – call 6255 0160 and select ‘4’ to activate the kill switch.

j) Providing information on unauthorised transaction

You should promptly provide UOB with all the information we may request to facilitate our investigation of the unauthorised transaction.

Such information may include:

• the UOB accounts affected,
• affected accounts with other banks,
• your identification information,
• the name or identity of any account user for your account,
• the date and time of the loss or misuse of your account,
• your authentication device or access code,
• the type of authentication device used to perform the payment transaction, and
• access code and device used to perform the payment transaction.

If an access code is applicable to your account, we may also need to know:

• how you or your account user recorded the access code,
• if you or your account user had disclosed the access code to anyone else,
• any other relevant information that you know, such as but not limited to:
  • a description of the scam incident, including details of the communications with the suspected scammer(s),
  • details of the remote software downloaded (if any) as instructed by the scammer(s),
  • whether you received any OTPs or transaction notifications sent by UOB (if possible, a confirmation from your telecommunication operator to verify the receipt status), and
  • The suspected compromised applications (if any) in your or your account user’s device.
    
    

k) Making a police report

You are required to make a police report as soon as practicable to facilitate our claims investigation process. If you suspect you may be a victim of scam or fraud, you should also make a police report as soon as you can, even if no unauthorised transactions were made on your account.

Please provide us with a copy of the police report lodged by you within 3 calendar days of reporting an unauthorised transaction to us to facilitate our claims investigation process.

You should cooperate with the police and provide evidence (e.g. your mobile device for forensics investigation) as far as you can.

The transaction notifications service is available to all UOB customers with a UOB Personal Savings/Current Account and/or UOB Principal/Supplementary Credit/ Debit Card. The notifications will be sent via SMS or email, to the latest mobile number or email address registered with UOB.

The type of transaction notifications sent will depend on the type of notifications the accountholder has chosen to receive. Each transaction notification will contain information like the transaction date, time and amount.

Notifications will be sent to the accountholder who performed the transaction.

Notifications will be sent to the supplementary cardholder who has performed the transaction. The principal cardholder will not receive notifications of transactions done by the supplementary cardholder. For transactions done by the principal cardholder, UOB will send the notifications to the principal cardholder.

The supplementary card, its PIN and card mailer will be sent to the address registered under the principal cardholder.

Update your contact details on UOB TMRW App instantly so you don't miss any important notifications or alerts.

To update your contact details, follow these steps:
Step 1: Log in to UOB TMRW App
Step 2: Select ‘Services’ at the bottom of the screen.
Step 3: Under Profile, select ‘Contact Details’.

You may also change your contact details or opt for additional notifications via UOB Personal Internet Banking or by visiting any UOB branch.

If you update your mobile number, we will send SMS-OTPs for UOB Personal Internet Banking and UOB TMRW App, UniAlerts and all other transaction notifications and alerts to your new number.

We strongly encourage you to provide us with your latest contact details, so that you can receive notifications relating to your accounts and transactions.

Where applicable, UOB will give you a screen to review a transaction on UOB Personal Internet Banking and UOB TMRW App before it is executed. This screen will contain relevant transaction and recipient details (e.g. where the account money is debited from, transaction amount, recipient’s account number or name) for you to confirm before a transaction is executed.

You will only receive notifications when the transaction amount is higher than the threshold you set.

Setting a higher threshold may mean scammers can withdraw money from your account in smaller amounts without you noticing or being informed. As a result, you may not be able to report these transactions, secure your account and prevent further losses in a timely manner.

It is important to consider your responsibilities and liabilities under E-Payments User Protection Guidelines for unauthorised transactions when you set your transaction notification thresholds.

1) No clickable links/Quick Response codes (“QR codes”)

UOB will not send clickable links or QR codes to you unless you have asked us for such links / QR codes.

UOB will also not send phone numbers via SMS unless you are expecting to receive the SMS from UOB.

2) Digital security token waiting period

We will impose a 12-hour waiting period when a digital security token is activated on a device. Before the 12 hours are up, the digital security token cannot be used.

3) Informing of risks and implications

We will inform you of the risks and implications of high-risk activities and get additional confirmation from you before you confirm to proceed with such activities.

4) Real-time notifications and alerts for digital security token and high-risk activities

We will provide notifications and alerts in real time when your digital security token is activated, and when any high-risk activities are performed.

These notifications will:

1. be sent to your account contact with UOB. If you have more than one account contact with UOB, the notifications will be sent to the accountholder performing the transaction,
2. be sent to you via SMS, email or in-app/push notification,
3. provide details relevant to the digital security token provisioning and activation or high-risk activity performed (e.g. information of payee added, new transaction limits or change in contact details), and
4. remind you to contact UOB if the digital security token provisioning and activation or high-risk activity was not performed by you.

5) Real-time notifications for outgoing payment transactions

We will send notifications for outgoing payment transactions in real time as long as the transaction amount is higher than the threshold you set. These notifications will:

(i)   be sent to the accountholder performing the transaction,

(ii)  be sent to you via SMS, email or in-app/push notification, and

(iii) provide enough relevant information for you to identify if a transaction is unauthorised (confidential information may be omitted). This information includes:

• account details (e.g. account number);
• recipient details (e.g. recipient name, recipient’s account number);
• transaction amount (including currency);
• transaction time and date;
• transaction type;
• merchant name and reference number (if applicable).

6) Management of notification and alert preferences

While you have the option to receive notifications for all outgoing payment transactions, you can also customise your notification settings to your preferences. We will send you notifications and alerts according to the settings you have selected.

Here’s how you can customise your transaction notification settings.

7) Digital access kill switch

UOB provides a kill switch that allows you to promptly block further digital access to your account(s).

If you are notified of an unauthorised transaction and suspect your account(s) may be compromised or if you are unable to contact UOB for whatever reason, activate the kill switch as soon as you can. This will also disallow further mobile and online payment transfers to third parties who are not authorised billers.

8) Recipient information with access codes

When sending you certain access codes, UOB will also send you important information to help you make sure that your transaction is secure. This information includes:

• account details (e.g. account number),
• recipient details (e.g. recipient name),
• transaction amount (including currency), and
• a reminder not to reveal the access code to anyone else.

9) Transaction reviews before confirmation

For payment transactions made via UOB Personal Internet Banking, UOB TMRW or any UOB ATM, we will provide a screen to review the transaction and recipient details before you confirm the transaction. This review screen will have:

• information that lets you identify the protected account to be debited,
• the intended transaction amount,
• recipient credentials that let you identify them (minimally the recipient’s phone number, identification number, account number or name that they registered to receive such payments), and
• a notice to review and confirm the information before executing the payment transaction.

10) Reporting channel for unauthorised or erroneous transactions

Please contact our 24-hour UOB Fraud Hotline at 6255 0160 or visit any UOB branch in Singapore during usual business hours to report unauthorised or erroneous transactions and block further access via mobile and online channels to your account.

You will be issued with a written acknowledgement of the report and no fee will be charged by UOB for making the report.

11) Assessment of claims

We will assess any claim you make in relation to any unauthorised transaction and assess your liability.

If we assess that such transaction is not an unauthorised transaction, we will inform you of the outcome of our investigation.

For unauthorised transaction claims, you will be required to provide us with a copy of your police report in order for us to commence our investigation. Upon your request, we may provide information on how to file a police report.

We will request that you provide us with information we need to carry out our investigations. Upon your request, we will also provide you with the relevant information we have on the unauthorised transaction(s).

We will complete an investigation of any relevant claim within 21 business days for straightforward cases or 45 business days for complex cases. Complex cases may include cases where a party to the unauthorised transaction resides overseas, or where you have not provided us with sufficient information for us to complete our investigation.

After we inform you of the investigation outcome and the assessment of your liability, you will be asked to acknowledge the outcome of the findings.

If you do not agree with our assessment, you or we may proceed to commence other forms of dispute resolution, including mediation at the Financial Industry Disputes Resolution Centre Ltd (Tel: (65) 6327 8878).

We will credit your account with the total loss arising from any unauthorised transaction (but excluding any loss of business or profit, special, punitive, indirect or consequential loss and any other losses) after we complete our investigation and if we have assessed that you are not liable for any loss arising from the unauthorised transaction.

This only applies to UOB Savings Accounts, UOB Current Accounts, UOB CPF Investment Account, UOB SRS Account, UOB CashPlus and ATM card and will not apply to all UOB Credit / Debit Cards and all related transactions.

1. You shall be liable for actual loss where the primary cause of the loss is your recklessness. Recklessness includes the situation where you or any of your account users deliberately did not comply with the duties of account holders and account users in the E-Payments User Protection Guidelines or the Terms and Conditions Governing Accounts and Services. You are expected to provide such information to us as we may require for us to determine whether you or your account user was reckless. The actual loss that you will be liable for is capped at the applicable transaction limit or daily payment limit on your account.
   
   

2. You shall not be liable for the first S$1,000 of any loss arising from an unauthorised transaction, if the loss arises from any act or omission by any independent third party and does not arise from any failure by you or any of your account users to comply with any of the duties applicable to account holder and account users under the E-Payments User Protection Guidelines or the Terms and Conditions Governing Accounts and Services. Where the relevant account is a joint account, the liability for losses in respect of unauthorised transactions shall apply jointly to each account holder of such joint account. If the value of such unauthorised transaction exceeds S$1,000, you will be liable for the amount exceeding the first S$1,000.

We will make reasonable efforts to facilitate communication between you and the wrong recipient’s bank to improve your chances of recovering the payment amount sent through the erroneous transaction. For simple cases, we will provide you a status update within 9 business days from receiving the necessary information from you.

However, this may take longer in complex cases (e.g. cases where any party to the transaction resides overseas, or if we have not received sufficient information from you to convey instructions).

With effect from 16 December 2024, the following clauses in the Terms and Conditions Governing Accounts and Services (Individual Customers) will be amended:
Clauses 2.8 (c), 2.13, 2.17, 10.3, 10.4, 10.5, 10.6, 11.5, 12, and Part K. Meaning of words.

Please click here for the revised Terms and Conditions.

With effect from 16 December 2024, the following clauses in the Terms and Conditions Governing Digital Services will be amended:
Clause 10.3, 10.4, 10.5, 10.6, 11.5, 11.6, 12.1, 12.2 and 12.3

Please click here for the revised Terms and Conditions.

With effect from 16 December 2024, the following clauses in the UOB Cardmembers Agreement will be amended:
Clause 3.2 to 3.11 and 12.20

Please click here for the revised Terms and Conditions.