Banks imposing extra security measures after recent SMS scams; OCBC will make 'full goodwill payouts'

COOLING-OFF periods for account detail changes and a minimum 12-hour delay for activating mobile tokens are among the security controls Singapore banks must put in place in the next fortnight.

The latest measures from the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) came as OCBC on Wednesday (Jan 19) offered "full goodwill payouts" to all customers who lost money in the recent scam.

Hundreds of OCBC customers lost a combined S$8.5 million over the year-end festive period, when scammers took advantage of old short message service (SMS) technology to impersonate the bank and dupe victims into handing over their online banking log-in details.

In response to the recent spate of SMS-phishing scams targeting bank customers, the MAS, Infocomm Media Development Authority and police will work to introduce more permanent solutions to combat SMS spoofing, including the adoption of SMS Sender ID registry by all relevant stakeholders.

The MAS also scrutinising major financial institutions' fraud surveillance mechanisms, to ensure they are adequately equipped to deal with the growing threat of online scams. It said in a joint statement with the ABS that it "expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam".

The MAS had previously said it expects all affected customers to be treated fairly and "will consider appropriate supervisory actions".

The regulator had also noted OCBC will carry out "a thorough probe to identify the deficiencies in their processes and implement the necessary remedial measures".

OCBC, which earlier this week indicated that it would make payments on a goodwill basis, has now said that it is "making full goodwill payouts to all affected customers of this particular SMS phishing scam impersonating OCBC".

The payouts have gone to more than 100 victims so far - up from some 30-odd on Monday - said OCBC group chief executive Helen Wong in an update. She added that arrangements with all affected customers will be made by next week.

OCBC began releasing payouts to affected customers on Jan 8, though it said in an earlier statement that those were "made on goodwill basis after thorough verification, taking into account the circumstances of each case".

The Straits Times reported this week that some victims who had already received goodwill payouts cited non-disclosure agreements; they declined to share details.

"We seek the understanding and patience of our customers, as thorough validation of each case requires time to ensure accuracy. This process is necessary so that every case is fairly and properly treated," Wong has now said.

"We apologise for taking more time than expected to resolve the issues with our customers during this time of distress and anxiety."

She added that OCBC has prevented more than 200 other customers from falling for the scam by getting in touch with patrons who might not have known that they were vulnerable. She did not give details on the types of customers or how they were susceptible.

Banks in Singapore, in consultation with MAS, will put in place more stringent measures within the next two weeks, including:

  • Removal of clickable links in e-mails or SMS sent to retail customers;
  • Threshold for funds transfer transaction notifications to customers to be set by default at S$100 or lower;
  • Delay of at least 12 hours before activation of a new soft token on a mobile device;
  • Notification to existing mobile number or e-mail registered with the bank whenever there is a request to change a customer's mobile number or e-mail address;
  • Additional safeguards, such as a cooling-off period before implementation of requests for key account changes such as in a customer's key contact details;
  • Dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis;
  • More frequent scam education alerts.

These extra controls are expected to lengthen the time taken for some online banking transactions, but are needed for an additional layer of security, the MAS said.

Going further, DBS - which said that it fully supported the latest measures - added that it will also stop sending non-essential SMSes to retail and wealth customers from Friday until further notice.

Ravi Menon, managing director of MAS, said the regulator is deeply concerned about the recent spate of scams and victims' financial losses, and added that "we will ensure that digital banking remains secure, efficient and trusted".

KEYWORDS IN THIS ARTICLE

BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to t.me/BizTimes