Media statement in response to MAS’ supervisory action after its review of OCBC Bank’s handling of the SMS phishing scam impersonating the bank
Media statement in response to MAS’ supervisory action after its review of OCBC Bank’s handling of the SMS phishing scam impersonating the bank
Said Group CEO Helen Wong, “As digital banking becomes a way of life in today’s world, scammers are using increasingly well-orchestrated tactics to convince, mislead and steal. Therefore, the integrated defences that a bank must have in place to prevent, detect and respond to scams are expected by customers. The SMS phishing attacks impersonating OCBC in December 2021 was unprecedented in that the tactics reached a level of realism not seen in previous phishing scams. While we took various actions in December to stem the scam, we should have responded faster and better to early signs of the attacks.
An independent consultant was engaged to review our anti-scam systems and processes as well as incident management and complaint handling. It was concluded that there was no cyberattack on our IT systems. Neither were our systems breached. We have since implemented and will implement additional measures, including those recommended by the consultant as well as the ones jointly developed with the industry and the authorities.
The one-off gesture of goodwill payouts to victims of the scam was the right thing to do given the circumstances at that time. Even as vigilance is a shared responsibility with consumers, we are working with all parties in the eco-system, including the telecommunication companies, the regulator and law enforcement agencies, to continuously assess and calibrate the anti-scam control measures for our digital banking channels.”
MAS requires OCBC Bank to maintain additional regulatory capital for operational risk by applying a multiplier of 1.3 times to the risk-weighted assets for operational risk for its Singapore banking operations until all the identified gaps have been addressed. This translates to approximately SGD 330 million in regulatory capital as at 31 March 2022, and a 0.21 percentage point impact on OCBC Bank’s Group capital ratios. There will not be any impact on our dividend policy.
---------------------------
Factsheet on OCBC Bank's anti-scam security measures
Following the SMS phishing scam impersonating OCBC Bank in December 2021, where a majority of the amounts lost occurred during the year-end festive period of 23 December 2021 to 30 December 2021, we further enhanced our security measures.
These included the measures which were in the MAS and ABS industry announcement on 19 January 2022 to bolster the security of digital banking. The measures were in response to SMS phishing scams targeting bank customers.
Security measures such as transaction notifications and customer-led funds transfer deactivation were in place prior to the scam.
A timeline of OCBC Bank’s enhanced security measures are as follows:
• On 31 December 2021, we implemented a 24-hour cooling off period for digital token provisioning. This was later revised to 12 hours, to align with the MAS and ABS industry measures.
• Since 1 January 2022, we joined the IMDA Singapore SMS Anti-Spoofing Registry to have the Bank’s registered SMS sender IDs protected.
• Since 11 January 2022, we have removed clickable links in all marketing emails and SMSes. Links were never embedded in SMSes on banking transactions prior to the scam.
• Since 14 January 2022, we have reduced the default funds transfer daily limit for PayNow, and customers are now able to adjust it to their needs. The amount allowed to be transferred per transaction was also reduced. Transaction notifications for PayNow and FAST transfers are at S$0.01.
• Since 18 January 2022, the dedicated customer service care team set up in December 2021 to handle customer queries and reports on fraud has been made permanent. Our OCBC hotline (1800 363 3333) now contains a dedicated option “9” for customers to escalate reports of suspected scams.
• By 19 January 2022 – the day which MAS and ABS announced the industry measures to bolster the security of digital banking – we had already implemented most of the measures.
• On 31 January 2022, we implemented a cooling off period of at least 12 hours for key account changes such as updating a customer’s mobile number for notifications, to align with the industry measures.
• Since 16 February 2022, we have introduced a “kill switch” solution at all OCBC ATMs and via our official OCBC contact number to enable customers to immediately freeze all their current and savings accounts in an emergency.
• By June 2022, we will deploy a team onsite at the Singapore Police Anti-Scam Centre to further enhance the speed of recovering monies stolen through scams.
• We have intensified efforts to educate and inform customers about scams through multiple channels such as our social media channels, email, SMS, and on our website and mobile banking login pages. We would like to again remind consumers to be alert, protect their bank account login credentials, and to only perform banking transactions through the Bank’s official website and mobile banking apps.