The Monetary Authority of Singapore has asked OCBC Bank to add an additional capital requirement of S$330 million for deficiencies in the bank's response to the wave of spoofed SMS phishing scams that took place in December 2021. According to MAS, OCBC is required to apply a multiplier of 1.3 times to its risk-weighted assets for operational risk.
Following the scams, OCBC engaged an independent firm to review its systems and processes, MAS said. "Deficiencies were noted in the bank’s mitigation of identified risks, pre- and post-transaction controls, incident management and complaints handling, resulting in delays in containment measures and customer response time. The deficiencies identified are in line with MAS’ assessment and the bank is in the process of addressing them," it added.
The additional capital requirement imposed takes into consideration actions taken by OCBC to strengthen its controls and its approach to resolving customer complaints following the incident, and will be reviewed when MAS is satisfied that OCBC has addressed all deficiencies identified in the review.
Financial institutions have a duty to put in place robust measures to prevent, detect and respond to scams, which includes ensuring that their controls remain effective against evolving scam tactics, and prompt actions are taken as soon as a scam is detected, Marcus Lim, assistant managing director (banking and insurance, MAS said. "Consumers must also remain vigilant against persistent attempts by scammers to deceive them into divulging their log-in credentials or initiating transfers themselves," he added.
In response to MAS' supervisory, OCBC group CEO Helen Wong said that the independent review concluded there was no cyber attack on its IT systems, neither were its systems breached. At the same time, OCBC has since implemented and will implement additional measures, including those recommended by the consultant as well as the ones jointly developed with the industry and the authorities. Wong added that, while the bank took various actions in December to stem the scam, it should have responded faster and better to early signs of the attacks.
She said, "The one-off gesture of goodwill payouts to victims of the scam was the right thing to do given the circumstances at that time. Even as vigilance is a shared responsibility with consumers, we are working with all parties in the eco-system, including the telecommunication companies, the regulator and law enforcement agencies, to continuously assess and calibrate the anti-scam control measures for our digital banking channels.”
Last year, OCBC customers were subjected to a "particularly aggressive and highly coordinated" phishing scam, which involved sending customers messages with "too good to be true" deals. OCBC's investigations then had confirmed that victims who had fallen prey had provided their online banking log-in credentials to phishing websites. After which, the scammers quickly transferred money out of the customers’ bank accounts.
As the scam dragged on, OCBC been making goodwill payouts to customers who fell prey to the scam. The payouts, which started on 8 January 2022, were given to affected customers after thorough verification, taking into account the circumstances of each case, OCBC said in a statement then. The MAS also had put new measures in place to bolster the security of digital banking services such as the removal of clickable links in emails or SMSes sent to retail customers.
OCBC launched a kill switch that enables customers to immediately freeze their accounts in an emergency as well. The kill switch, launched in February, can be activated via mobile or at about OCBC Bank ATMs in the event of a scam. With the kill switch, customers can immediately freeze all their current and savings accounts, ATM access, debit and credit cards and digital banking, as well as OCBC Pay Anyone app access, if they suspect they are a victim of a scam or if they believe account-related details have been otherwise compromised. Additionally, OCBC also launched a dedicated channel, accessible via the bank's official number, for customers to seek assistance for incidents of suspected fraud. A specially trained customer service executive can help customers freeze all bank accounts, guide them through the process of making a police report and follow up on their banking activities after informing the bank of the fraud.
OCBC launches kill switch feature to tackle scams and frauds
Can OCBC build back a bank of customer trust following the phishing scam?
Will LinkedIn's rampant phishing scams hamper its professional credibility?
Google ads the latest avenue for scammers