GR-12.2.26

Entire section

Custom print

Link

Text Only

Rich Text

Print

Location:

Versions

Jan 01 2022 - Sep 30 2022
Oct 01 2022

Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties. Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers, licensees must comply with the following requirements:

(a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;

(b) Refrain from using shortened links in communication with customers;

(c) Implement one or more of the following measures for links sent to customers:

i. ensure customers receive clear instructions in communications sent with the links;

ii. prior notification to the customer such as through a phone call informing the customer to expect a link from the licensee;

iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;

iv. use of other verification measures like password or biometric authentication; and

(d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers that licensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.

Amended: October 2022
Added: January 2022