MAS and ABS introduce new measures to bolster digital-banking security

COOLING-OFF periods for account detail changes and a minimum 12-hour delay for activating mobile tokens are among the security controls that Singapore banks will have to put in place within the next fortnight.

This is in accordance with additional measures introduced by the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) on Wednesday (Jan 19), in response to the recent spate of SMS-phishing scams targeting bank customers.

Working with banks, the Singapore Police Force and the Infocomm Media Development Authority (IMDA), MAS plans to introduce more permanent solutions to combat SMS spoofing, including the adoption of SMS Sender ID registry by all relevant stakeholders.

It is also scrutinising major financial institutions' fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams.

MAS and ABS said in a joint statement: "MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam."

Banks in Singapore, in consultation with MAS, will put in place more stringent measures within the next two weeks, including:

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

•  Removal of clickable links in e-mails or SMS sent to retail customers;

• Threshold for funds transfer transaction notifications to customers to be set by default at $100 or lower;

• Delay of at least 12 hours before activation of a new soft token on a mobile device;

• Notification to existing mobile number or e-mail registered with the bank whenever there is a request to change a customer's mobile number or e-mail address;

• Additional safeguards, such as a cooling-off period before implementation of requests for key account changes such as in a customer's key contact details;

• Dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis;

• More frequent scam education alerts.

These additional controls are expected to lengthen the time taken for certain online banking transactions, but are necessary to provide an additional layer of security, MAS said.

DBS, which said that it fully supported the latest measures, said in a statement that it will also stop sending non-essential SMSes to retail and wealth customers from Friday until further notice. Retail and wealth customers will still receive SMS messages such as security and trade notifications and one-time password authentication, but these messages will not contain any clickable links.  

Ravi Menon, managing director of MAS, said the regulator is deeply concerned about the recent spate of scams and victims’ financial losses.

"The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem," he said, adding that "we will ensure that digital banking remains secure, efficient, and trusted".

Last month, OCBC phishing scams led to 469 people losing a total of at least S$8.5 million.

READ MORE:

• All OCBC phishing scam victims to get their money back, CEO Helen Wong promises

• BT Explains: What you need to know about SMS phishing

• When scammers can empty your bank accounts of S$8.5m in minutes, where is the sense of security?

• OCBC to continue with physical tokens as it weighs fraud risks to customers