User Protection Guidelines

As a regulated financial entity, MatchMove is committed to upholding the highest standards of integrity and security. We maintain strict compliance with Singapore’s regulatory frameworks as well as the local regulatory guidelines of all jurisdictions in which we operate.

The safety of our financial ecosystem is a shared responsibility. Therefore, as consumers of the MatchMove platform and extension partners, you are required to comply with these user protection guidelines. These standards are designed to safeguard transactions, define clear duties of care, and ensure a secure environment for all participants. By adhering to these practices, we collectively mitigate risks and ensure the continued resilience of our digital payment services.

Under the Monetary Authority of Singapore (MAS) E-Payments User Protection Guidelines (effective 16 December 2024), there are provisions for email and mobile verification indicated regarding transaction notifications and account security.

The guidelines emphasize using these channels to ensure the user is alerted to any activity on their account. Here are the specific provisions:

Verification for Contact Details

Before Matchmove and partners can send notifications or perform authentication, they must ensure the contact information provided by the user is valid:

1. Verification at Point of Provision

When a user provides a mobile number or email address during onboarding, the partner must verify these details using a "secure manner" (e.g., sending a one-time password (OTP) to that specific mobile number or a verification link to that email).

2. Updates to Contact Info

Any change to the mobile number or email address on file must be subject to strong authentication. The partner is expected to send a notification to the old contact detail alerting the user that a change has been made.

Mandatory Transaction Notifications

The guidelines mandate that partners use the verified mobile or email channels to send real-time alerts.

1. Default Channels

Partners must provide notifications via SMS or email (or via in-app push notifications).

2. Opt-out Restrictions

While users can often choose their preferred channel (e.g., opting for email over SMS), partners are generally required to ensure that the notification system cannot be completely disabled for transactions above a certain threshold.

3. Content of Verification/Notification

The notification must contain sufficient detail for the user to identify if the transaction is unauthorized, including the transaction amount, time, and the name of the payee (where available). Please refer to the Anti-scam Measures section for more details on the notification contents.

Strong Authentication (2FA)

The guidelines reinforce that mobile and email are key components of Multi-Factor Authentication (MFA):

1. Out-of-Band Verification

For "high-risk" activities (like adding a new third-party payee or changing daily transfer limits), the partner must perform verification through a channel separate from the one used to initiate the request. This often involves sending a verification code to the registered mobile number or requiring a digital token approval.

2. Cooling-off Periods

For changes to key mobile or email contact details, the guidelines support the implementation of a "cooling-off period" before the new details can be used to authorize high-value transactions, preventing scammers from taking over an account instantly.

User Duty to Provide Accurate Info

The guidelines also place a duty on the User:

1. Accurate Records

Users are responsible for providing a correct and updated mobile number and/or email address to the extension partner.

2. Consequences of Failure

If a user fails to provide updated contact information and consequently misses a transaction notification that would have allowed them to stop a scam, it may affect the assessment of the user's "duty of care" during a loss investigation.

3. Security of the Mobile Device

Because the mobile phone often serves as the "verification device," the guidelines state that users must:

• Secure the mobile device with a password, PIN, or biometric (like Face ID/fingerprint).
• Enable lock-screen notifications privacy so that OTPs/verification codes are not visible to others when the phone is locked.