SIO-9.6.23
Stablecoin issuers must comply with the following requirements with respect to URLs or other clickable links in communications with clients:
(a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of client request or action. Examples of such client actions include verification links for client onboarding, payment links for client-initiated transactions etc.;
(b) Refrain from using shortened links in communication with clients;
(c) Implement measures to allow clients to verify the legitimacy of the links which may include:
i. clear instructions on the licensee’s website/app where the link is sent as a result of client action on the licensee’s website/app;
ii. communication with clients such as a phone call informing the client to expect a link from the licensee;
iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the client with the link; and
iv. use of other verification measures like OTP, password or biometric authentication.
(d) Create client awareness campaigns to educate their clients on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to clients that stablecoin issuers will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result client request or action. Stablecoin issuers may also train their clients by sending fake phishing messages.
Added: July 2025