Safety and Security - E-payments user protection guidelines | OCBC Singapore

#BeAProAgainstCons with OCBC – empowering you to bank safely and securely

e-Payments user protection guidelines

The Monetary Authority of Singapore has issued the E-Payments User Protection Guidelines (“Guidelines”) which spells out the roles and responsibilities of banks and our customers when conducting activities related to e-payments.

Please be aware of your responsibility as an account holder and adopt safe banking measures to protect your protected account (e.g. bank accounts, debit card, ATM card, credit card and other unsecured credit facilities) from unauthorised or erroneous transactions.

Please read the highlights of the revised Guidelines below to understand the Bank’s as well as your rights and obligations as an account holder (includes a joint account holder and a supplementary credit card holder) under the Guidelines which will take effect on 16 December 2024. For complete information on the Guidelines’ requirements, please refer to the actual Guidelines housed under MAS website.

Please note this should be read together with the sections “UNAUTHORISED ACTIVITIES” and “ERRONEOUS TRANSACTIONS” below, which also contains information about your and the Bank’s duties.

Please also note some of the duties below also apply to account users, who are persons authorised to initiate, execute or both initiate and execute payment transactions using your protected account. Please also inform them of their applicable duties to best safeguard your protected account.

Key definitions in the Guidelines to guide your reading

  • “Access code” means a password, code or any other arrangement that the account user must keep secret, that may be required to authenticate any payment transaction or account user, and may include any of the following:
    1. personal identification number, password or code;
    2. internet banking authentication code;
    3. telephone banking authentication code;
    4. code generated by an authentication device;
    5. code sent by the Bank by phone text message such as SMS,

    but does not include a number printed on a payment account (e.g. a security number printed on a credit card or debit card).

  • “High-risk activities” include, but are not limited to —
    1. adding of payees to the account holder’s payment profile;
    2. increasing the transaction limits for outgoing payment transactions from the payment account;
    3. disabling transaction notifications that the Bank will send upon completion of a payment transaction; and
    4. change in the account holder’s contact information including mobile number, email address and mailing address.
  • “Protected account” means any payment account that:
    1. are held in the name of one or more persons, all of whom are either individuals or sole proprietors;
    2. are capable of having a balance of more than S$1,000 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility;
    3. are capable of being used for electronic payment transactions; and
    4. where issued by a relevant payment service provider is a payment account that stores specified e-money.

What are your responsibilities as an account holder?

Provide contact information, opt to receive and monitor notification alerts

  1. You must provide us with the contact information we need in order for us to send you notifications alerts for payment transactions (of any amount that is above the transaction notification threshold), activation of digital security token and the conduct of high-risk activities.
  2. You should minimally provide us with your Singapore mobile phone number or email address, so that you can receive the opted notification alerts by SMS or email. You must also ensure that contact information provided to us is complete and accurate at all times.
  3. You should enable notification alerts on any device used to receive notification alerts from us.
  4. You should opt to receive your notification alerts via SMS, email or in-app/push notification for all outgoing payment transactions (of any amount that is above the transaction notification threshold), activation of digital security token and the conduct of high-risk activities made from your protected account.
  5. You should monitor the notification alerts received as the Bank may assume that you will monitor such notification alerts without further reminders or repeat notifications.

Protect access codes and secure access to protected account

  1.  
  2.  
  3.  
  4.  
  5.  
  6. You and any account user should not do any of the following:
    • Voluntarily disclose any access code to any third party, including the Bank’s staff;
    • Disclose the access code in a recognisable way on any payment account, authentication device, or any container for the payment account; or
    • Keep a record of any access code in a way that allows any third party to easily misuse the access code.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7. If you or any account user keeps a record of any access code, you or the account user should make reasonable efforts to secure the record, including keeping the record in:
    • A secure electronic or physical location accessible or known only to you or the account user; and
    • A place where the record is unlikely to be found by a third party.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8. You and any account user should minimally do all of the following when a device (e.g. handphone, desktop, laptop or other device) is used to access the protected account:
    • Only download the OCBC app or OCBC Business app from the official app stores (e.g. Apple App store, Google Play Store and Huawei App Gallery);
    • Update your device’s browser (e.g. Chrome, Safari, Internet explorer, Firefox) to the latest version available;
    • Patch your device’s operating systems with regular security updates provided by the operating system provider;
    • Install and maintain the latest anti-virus software on your device, where applicable (e.g. periodic updates, patches, version releases initiated by the antivirus software providers from time to time);
    • Use strong passwords (such as a mixture of letters, numbers and symbols or strong authentication methods made available by the device provider such as facial recognition or fingerprint authentication methods);
    • Do not root or jailbreak the devices used; and
    • Do not download and install applications from third-party websites outside official sources (“sideload applications”), in particular unverified applications which request device permissions that are unrelated to their intended functionalities.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9. You should inform all account users of the security instructions or advice provided by us. An account user should, where possible, follow the security instructions or advice provided by us.

Read messages from us before completing payment transactions or high-risk activities

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10. You and any account user should read the content of the messages containing the access codes (e.g. one-time password (OTP) or equivalent in-app/push notifications via the OCBC app) and verify that the stated recipient or activity is intended before completing the payment transactions or high-risk activities.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11. Check carefully the instruction details before executing or completing any transactions or high-risk activities.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12. You and any account user should read the risk warning messages from the Bank and understand the risks and implications before proceeding to confirm the performance of the high-risk activities. You and any account user should always refer to our website or contact us for more information if unsure. By proceeding to perform the high-risk activities, you or (as the case may be) the account user is deemed to have understood the risks and implications as presented by the Bank.

Refer to official sources to obtain the Bank’s website address and contact numbers

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13. You and any account user should always refer to official sources such as MAS’ Financial Institutions Directory (“FID”) or the back of OCBC cards to obtain the Bank’s website address and contact numbers.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14. You and any account user should always refer to the Bank’s website address and contact numbers obtained from official sources to contact us. Please always type our URL : https://www.ocbc.com/login (Individuals) or https://velocity.ocbc.com (Sole Proprietors) into the browser’s address bar or use our OCBC/OCBC Business apps
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15. You and any account user should not click on links or scan QR codes purportedly sent by the Bank unless you and the account user are expecting to receive information on products and services via these links or QR codes from us. The contents of these links or QR codes should not directly result in you providing any access code or performing a payment transaction or high-risk activity. Such links are only to provide information and could be part of regulatory requirements, such as Terms and Conditions, product description, steps to execute a transaction and fact sheet for investment products.

Take appropriate measures in potential instances of unauthorised activities, scam or fraud

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16. We provide a high-level summary of the duties below for a concise overview. Please refer to section “UNAUTHORISED ACTIVITIES” below for full information on the duties.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17. You should report any unauthorised activity (e.g. transactions, high-risk activities, and the activation of a digital security token) to the Bank as soon as practicable, and no later than 30 calendar days after receipt of any notification alert for any unauthorised activity that has not been initiated by you or with your consent. Reporting should be done through designated channels set out by the Bank (see “UNAUTHORISED ACTIVITIES” below for details) and you should provide us with the reasons for any delayed report.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17.  
  18. For Individuals, you should activate the OCBC Kill Switch to block further mobile and online access to the protected account as soon as practicable after you are notified of any unauthorised transactions and have reason to believe that the account has been compromised, or if you unable to contact the Bank.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17.  
  18.  
  19. You should within a reasonable time provide us with certain information on unauthorised transaction as requested by us. See “Reporting” section of “UNAUTHORISED ACTIVITIES” below for details.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17.  
  18.  
  19.  
  20. You should make a police report as soon as practicable if you suspect that you are a victim of scam or fraud, or at our request. You should cooperate with the police and provide evidence as far as practicable, and also furnish the police report to the Bank within 3 calendar days of our request.

Learn more safe habits when banking online from here.

What are our responsibilities as a bank?
Note:

  • Point 2, 5 to 9, 13 to 15 and 18 to 20 below (marked with asterisk*) are only applicable to Individuals.
  • Except for point 1, 2 to 4, 8 to 11 and 13 to 16, the duties below do not apply to any credit card, charge card or debit card issued by the Bank.

Clearly inform account holder of user protection duties

  1. We will inform you of the user protection duties, including providing such information on our website, and in the Terms and Conditions provided to you for any new protected account issued.

Not send clickable links or QR codes via email or SMS, or phone numbers via SMS

  1.  
  2. *We will not send clickable links or QR codes via email or SMS to you or any account user of a retail protected account unless:
    • it is a link or QR code that only contains information for you or any account user and does not lead to a (i) website where you or any account user provides the access codes or performs any payment transaction or (ii) platform where you or any account user is able to download and install apps; and
    • you or any account user is expecting to receive the email or SMS from us.
  3. We will not send phone numbers via an SMS to you unless you are expecting to receive the SMS from us.
  4. We will ensure our website address is listed on MAS’ FID, and that our contact details reflected on MAS’ FID and other official sources are up to date.

Digital security token activation and High-risk activities

  1.  
  2.  
  3.  
  4.  
  5. *When the digital security token is activated on a device, we will impose cooling-off period of at least 12 hours on your protected account where high risk activities cannot be performed.
  6. *Before you perform a high-risk activity, we will inform you or the account user of the risks and implications of performing the high-risk activities and obtain your additional confirmation before proceeding.
  7. *We will send you real-time notification alerts for activation of digital security token and performance of high-risk activities. We will:
    • Send the notification alert to your existing contact provided to us for the protected account via SMS, email or in-app/push notification. If you have provided more than one account contact to us, the notification will be sent to every account contact selected by you to receive such notifications.
    • Include details relevant to the digital security token provisioning and activation or high-risk activity, such as information on the payee added, new transaction limits or change in contact details in the notification alert.
    • Remind you to contact us if you did not perform the digital security token provisioning and activation or high-risk activity.

Outgoing transactions notification alerts

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8. *We will send you real-time transaction notifications alerts for all outgoing payment transactions (in accordance with the transaction notification threshold) made from your protected accounts to your existing contact provided to us for the protected account via SMS, in-app/push notification or email. If you have provided more than one account contact to us, the transaction notification alert will be sent to every account contact selected by you to receive such notifications.
  9. *We will ensure the transaction notification alert contains the following information. We may omit any confidential information, provided the information provided to you still allows you to identify whether the transaction is authorised:
    • Information that allows you to identify the protected account such as the protected account number;
    • Information that allows you to identify the recipient whether by name or by other credentials such as the recipient’s account number;
    • Information that allows us to later identify you, the protected account, and the recipient account such as each account number or name of the account holder;
    • Transaction amount (including currency);
    • Transaction time and date;
    • Transaction type;
    • If the transaction is for goods and services provided by a business, the trading name of the merchant and where possible, the merchant’s reference number for the transaction.

Compliance with your transaction notification preferences for outgoing payment transactions

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10. We may elect to comply with your transaction notification alert preferences for sending of outgoing payment transaction alerts. We will avail you the option to receive transaction notification alerts for all outgoing payment transactions (of any amount) made from your protected account. However, if you instruct us otherwise, we will provide the notification alerts for outgoing transactions in accordance with your instructions. For example, we may provide outgoing transaction notification alerts only when the amount is higher than a notification threshold (e.g. higher than $0.01) or only for certain types of outgoing transactions, per your instruction.
  11. We will avail on our website information on how you can adjust the transaction notification settings. More information can also be found in Section “FREQUENTLY ASKED QUESTIONS ON TRANSACTION NOTIFICATION ALERTS” below.

    We also explain how your liability under Section 5 of the Guidelines may be affected by your transaction notification preferences. More information can be found in Section “FREQUENTLY ASKED QUESTIONS OF LIABILITY AND REPORTING OF ERRONEOUS/UNAUTHORISED TRANSACTION” below.

    Information about how any relevant claim by you in relation to any unauthorised transaction will be resolved can be found in section “UNAUTHORISED ACTIVITIES” below. We will act fairly and responsibly to you at all times.

Incoming transaction notification alerts

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12. We may, but are not obliged to, provide transaction notification alerts that fulfil the criteria set out for section “outgoing payment transaction notification alerts” under our duties above for payments to your protected account as a matter of good practice.

OCBC Kill Switch

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13. *We provide a kill switch which you can activate via OCBC hotline, OCBC ATM or OCBC app to immediately freeze all your current and savings accounts (including joint accounts), OCBC app access and ATM/debit/credit cards.
  14. *The kill switch disables all the following:
    • Cash withdrawals and deposits (including salary crediting)
    • Local and overseas funds transfers (incoming and outgoing)
    • Bill payments
    • GIRO transactions (incoming and outgoing)
    • NETS transactions
    • VISA and Mastercard transactions using credit/debit/ATM cards physically and digitally
    • Digital banking transactions, including via the OCBC app
  15. *We provide educational information on this feature, including how to activate it. Please take note of when you should activate this feature promptly per your corresponding duty as an account holder above. Please refer to relevant content under section “UNAUTHORISED ACTIVITIES” below for more details.

Provide information on identification of payment recipient

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16. We will ensure messages sent to you or any account user containing access codes (e.g. one-time password (OTP) or equivalent in-app/push notification via the OCBC app) contain the following information to identify the payment recipient:
    • information that allows you or any account user to identify the protected account such as the protected account number;
    • information that allows you or any account user to identify the recipient whether by name or by other credentials;
    • the intended transaction amount (including currency); and
    • a warning to remind you or any account user not to reveal the access code to anyone.

Provide recipient credential information

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17. Where payment transactions are made by way of OCBC online banking or OCBC app or device arranged for by OCBC for payment transactions (including a payment kiosk), we will provide an onscreen opportunity for you or any account user to confirm the payment transaction and recipient credentials before execution. The onscreen opportunity will contain the following information:
    • information that allows you or the account user to identify the protected account to be debited;
    • the intended transaction amount;
    • credentials of the intended recipient that is sufficient for you or any account user to identify the recipient, which at the minimum should be the recipient’s phone number, identification number, account number or name as registered for the purpose of receiving such payments; and
    • a warning to ask you or any account user to check the information before executing the payment transaction.

Provide reporting channel

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17.  
  18. *We will provide you with a reporting channel that is available at all times for the purposes of reporting unauthorised or erroneous transactions, and blocking further access via mobile and online channels to your protected account. Please refer to section “UNAUTHORISED ACTIVITIES” and “ERRONEOUS TRANSACTIONS” below for more information on the reporting channels.
  19. *The reporting channel will have all the following characteristics:
    • Our reporting channel for individual customers is a manned phone line.
    • Any person who makes a report through the reporting channel will receive a written acknowledgement of his/her/their report through SMS for individual customers
    • We will not charge a fee to any person who makes a report through the reporting channel for the report or any service to facilitate the report.

[Effective on 16 June 2025] Implement real-time detection and blocking of suspected unauthorised transactions

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17.  
  18.  
  19.  
  20. *We will have in place capabilities to detect and block suspected unauthorised transactions at all times. The authenticity of suspected unauthorised transactions will be further reviewed, and where applicable, we may contact you for verification before allowing such transactions to be executed. The effectiveness of the detection mechanism will be reviewed annually or as and when there are material triggers.

Assess claims and complete claims investigation, and to credit protected account

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17.  
  18.  
  19.  
  20.  
  21. We will assess your liability in accordance with Section 5 of the Guidelines for any claim made by you in relation to any unauthorised transaction covered in Section 5 of the Guidelines. We will have a proper governance structure and investigation process, involving representatives who are independent from business units who are to carry out the above assessment.
  22. Where we have assessed that the relevant claim does not fall within Section 5 of the Guidelines, we will resolve such a claim in a fair and reasonable manner. We will communicate the claim resolution process and assessment to you in a timely and transparent manner.
  23. We may require that you furnish a police report in respect of an unauthorised transaction claim, before we begin the claims resolution process. In doing so, we will, upon your request, provide information on the procedure to file a police report.
  24. We may request you to provide information in accordance with your duty as an accountholder above and as specified in section “UNAUTHORISED ACTIVITIES” below. Upon your enquiry, we will provide you with relevant information that we have of all the unauthorised transactions which were initiated or executed from your protected account, including transaction dates, transaction timestamps and parties to the transaction.
  25. Please refer to detailed information in section “UNAUTHORISED ACTIVITIES” below for our following duties:
    • Complete investigation of any relevant claim within a stipulated timeline, provide you with the investigation outcome, and to seek your acknowledgement of the outcome.
    • Inform you that you and the Bank may commence other forms of dispute resolution if you do not agree with our assessment of liability, or where we have assessed that the claim falls outside of Section 5 of the Guidelines.
    • Credit your protected account with the total loss if we have assessed that you are not liable for any loss arising from the unauthorised transaction.

Scheduled system downtime

  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17.  
  18.  
  19.  
  20.  
  21.  
  22.  
  23.  
  24.  
  25.  
  26. During a scheduled system downtime, we will ensure the following services are not affected:
    • Inform you of user protection duties;
    • *Impose cooling off period to restrict performance of high-risk activities when a digital security token is activated;
    • *Provide real-time notification alerts for outgoing payment transactions, activation of digital security token, and conduct of high-risk activities;
    • Provide real-time incoming transaction notification alerts (if available)
    • *Provide OCBC Kill Switch to promptly block further mobile and online access to protected account;
    • *Ensure reporting channel is available at all times for the purposes of reporting unauthorised or erroneous transactions, and blocking further access via mobile and online channels to your protected account; and
    • *Implement real-time detection and blocking of suspected unauthorised transactions at all times.
  1.  
  2.  
  3.  
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12.  
  13.  
  14.  
  15.  
  16.  
  17.  
  18.  
  19.  
  20.  
  21.  
  22.  
  23.  
  24.  
  25.  
  26.  
  27. We will also ensure continued delivery of key services and alternatives, where applicable, and that the scheduled system downtime is not performed during periods where high volume of transactions is expected.
Unauthorised activities

Should you become a victim of an unauthorised activity (e.g. payment transactions, high-risk activities, and the activation of digital security token) or suspected scam or fraud, please inform us immediately. You can report to us by contacting one of our branches during their opening hours or call us at:

Personal Banking
Call 6363 3333 (24-hour)
Calling from overseas? Call +65 6363 3333

Premier Banking
Call 1800 Premier (1800 773 6437)
Calling from overseas? Call +65 6530 5930

To report during non-operating hours, please use the 24-hours Personal Banking hotline

Business Banking
Call 6538 1111
Calling from overseas? Call +65 65381111

For Individuals:

You should activate OCBC Kill Switch via OCBC hotline, OCBC ATM or OCBC app to block online and mobile Banking access as soon as practicable if you are notified of any unauthorised transaction or activity, has reason to believe that your account has been compromised or are unable to contact the Bank.

Reporting:

You should report any unauthorised activity to the Bank through the channels stated above as soon as practicable and no later than 30 calendar days after receipt of notification alert for any unauthorised activity (, e.g., transactions, high-risk activities, and the activation of a digital security token) that were not initiated or consented by yourself. For any delayed reporting beyond the stipulated timeline, you are required to provide the reasons for the delay to us.

You should within a reasonable time provide us with full information of the following:

  • the protected account(s) affected, including your affected accounts with other financial institutions (“FIs”) if any;
  • your identification information;
  • the type of authentication device, access code and device used to perform the payment transaction;
  • the name or identity of any account user for the protected account;
  • whether a protected account, authentication device, or access code was lost, stolen or misused and if so:
    1. the date and time of the loss or misuse,
    2. the date and time that the loss or misuse, was reported to the Bank, and
    3. the date, time and method that the loss or misuse, was reported to the police;
  • where any access code is applicable to the protected account,
    1. how you or any account user recorded the access code, and
    2. whether you or any account user had disclosed the access code to anyone;
  • the payee details including bank name, payee name, account number, transaction date and time, amount, sender, authentication device, your account details; and
  • any other relevant information about the unauthorised transaction that is known to you, such as:
    1. a description of the scam incident, including details of the communications with the suspected scammer(s);
    2. details of the remote software downloaded (if any) as instructed by the scammer(s);
    3. whether you have received any OTPs and/or transaction notifications sent by the Bank, and where applicable/possible a confirmation from telecommunication operators to verify the receipt status only if you are able to obtain it; and
    4. suspected compromised applications (if any) in your or the account user’s device.

  • You should make a police report as soon as practicable if you suspect that you are a victim of fraud or scam, or at our request. We may request that you file a police report to facilitate our claims investigation. If so, please furnish the police report to the Bank within 3 calendar days from the date of our request. You should cooperate with the Police and provide evidence (e.g. furnish your mobile device to the Police for forensics investigation), as far as practicable.

    What will the Bank do after you report an unauthorised transaction?

    After receiving the information required to facilitate the investigation, the Bank will complete an investigation of any relevant claim, involving representatives who are independent from business units, within 21 business days for straightforward cases or 45 business days for complex cases. The Bank will require the police report and information on the unauthorised transaction(s).

    Complex cases may include cases where any party to the unauthorised transaction is residing overseas or where the Bank has not received sufficient information from you (as the account holder and in the case of sole proprietors, the person appointed at point of application/maintenance) to complete the investigation. We will, within the timeline stated above, give you a written or oral report of the investigation outcome and our assessment of your liability in accordance with Section 5 of the Guidelines. We will seek acknowledgement (which need not be an agreement) from you of the investigation report.

    If it has been assessed that you are not liable for any loss from the unauthorised transaction, the Bank will credit your account with the total loss arising from any unauthorised transaction as soon as our assessment is complete. We will disclose this arrangement to you at the time you report the unauthorised transaction to us, and inform you of the timeline for completing our investigation as set out above. For the avoidance of doubt, losses arising from unauthorised transactions exclude any loss of business or profit, special, punitive, indirect or consequential loss and any other losses.

    Should you disagree with our assessment of liability, or where we have assessed that the claim falls outside of Section 5 of the Guidelines, you and the Bank may proceed to commence other forms of dispute resolution including mediation at the Financial Industry Disputes Resolution Centre Ltd (“FIDReC”).

    For erroneous/unauthorised transactions on credit cards, charge cards or debit cards, the dispute resolution process established under the respective card scheme will apply.

Erroneous transactions

If you have sent or received an erroneous transaction, please inform us immediately. You can report to us by calling us at the following hotlines or visiting our branch during their opening hours.

Personal Banking
Call 6363 3333 (24-hour)
Calling from overseas? Call +65 6363 3333

Premier Banking
Call 1800 Premier (1800 773 6437)
Calling from overseas? Call +65 6530 5930

To report during non-operating hours, please use the 24-hours Personal Banking hotline

Business Banking
Call 6538 1111
Calling from overseas? Call +65 6538 1111

Complete a GIRO/FAST/PAYNOW funds recall form or IFT/Telegraphic Transfer/MEPS funds recall form. You may be advised to file a police report.

Give full information of the erroneous transaction such as recipient’s unique identifier, including account number, identification number, name or other credentials entered by you and the date, time, amount and purpose of the transaction.

Please provide us with full information of the erroneous transaction to allow us to begin processing your report.

  1. If sums have been sent in error from your protected account and you require our assistance to recover the sums, you should provide us with the following information at our request:
    • the protected account(s) affected, including your affected accounts with other FIs if any;
    • your identification information;
    • the type of authentication device, access code and device used to perform the payment transaction;
    • the name or identity of any account user for the protected account;
    • the recipient’s unique identifier, including account number, identification number, name or other credentials entered by your or any account user; and
    • the date, time, amount and purpose of the erroneous transaction insofar as such information is known to your or any account user.
  2. If you are the recipient of sums sent in error to your protected account and require our assistance to return the sums, you should provide us with the following information at our request:
    • the protected account(s) to which the erroneous transactions have been made;
    • the date, time and amount of the erroneous transaction insofar as such information is known to you or any other recipient; and
    • any other relevant information about the erroneous transaction that is known to you or any other recipient.

What will the Bank do after you report an erroneous transaction?

The Bank will endeavour to make reasonable efforts and work with the financial institution of the transaction counterparty (if applicable) to assist recovery or return of the sum sent in error and update you of the outcome. Longer time may be taken for more complex cases.

For avoidance of doubt, the Bank is not expected to resolve each erroneous transaction claim but to facilitate effective communication between the account holder and the recipient with the aim to improve account holder’s chances of recovering the payment amount sent through the erroneous transaction.

For erroneous/unauthorised transactions on credit cards, charge cards or debit cards, the dispute resolution process established under the respective card scheme will apply.

Frequently asked questions on Guidelines

What are the E-payment User Protection Guidelines all about?

The Guidelines is issued by MAS to protect users of electronic payments. It aims to encourage wider adoption of e-payments in Singapore.

The Guidelines establish a common baseline protection that Financial Institutions will provide to individuals and sole proprietors from losses arising from unauthorised or erroneous e-payment transactions from their protected accounts.

What is a protected account?

Protected accounts as defined in the Guidelines are those that:

  • are held in the name of one or more persons, all of whom are either individuals or sole proprietors;
  • can hold a balance of more than S$1000 or equivalent amount expressed in any other currency at any one time, or is a credit facility;
  • are capable of being used for electronic payment transactions; and
  • where issued by a relevant payment service provider is a payment account that stores specified e-money.

What payment transactions do the Guidelines cover?

The Guidelines cover all placing, transfer or withdrawal of money, whether for the purpose of paying for goods or services or for any other purpose, and regardless of whether the intended recipient of the money is entitled to the money, where the placing, transfer or withdrawal of money is initiated through electronic means and where the money is received through electronic means. These include online payments and transfers.

What high-risk activities do the Guidelines cover?

The high-risk activities covered by the Guidelines include, but are not limited to-

  • adding of payees to the account holder’s payment profile;
  • increasing the transaction limits for outgoing payment transactions from the payment account;
  • disabling transaction notifications that the responsible FI will send upon completion of a payment transaction; and
  • change in the account holder’s contact information including mobile number, email address and mailing address.

How do the Guidelines protect me?

The Guidelines sets out your responsibilities as an account holder or account user of a protected account. These include how you should protect your device, login credentials, access codes and protected accounts.

We will provide you with outgoing transaction notification alerts and a reporting channel so that you may be alerted of unauthorised/erroneous transactions and report them should they happen.

We will investigate claims of unauthorised transactions, with the aim of achieving a fair and reasonable resolution.

FREQUENTLY ASKED QUESTIONS ON TRANSACTION NOTIFICATION ALERTS

What are these transaction notification alerts for?

The notification alerts safeguard you against unauthorised and erroneous transactions. They are to alert you of such transactions so that you may report them to us for quicker resolution.

What type of transactions will I be notified on?

Notification alerts will be sent by us for outgoing payment transactions initiated and the money is received through electronic means. These include online payments/transfers and debit/credit card transactions.

Some electronic payment transactions may not trigger notifications if they were not initiated or the money is not received through electronic means.

The notification alerts you receive may also depend on your instructions to us. For instance, you may have instructed us that a notification alert be sent only for certain types of outgoing payment transactions or if an outgoing payment transaction is above a certain amount.

What type of transactions will I be notified on based on the Guidelines?

For Individuals:

We will update you with your outgoing payment transaction details by sending SMS notification alerts to your mobile phone number, in-app/push notifications and/or email notification alerts to your email address when you make the following transactions.

Note: Note: To find out which transaction alerts are available, click here.

SMS/Push Notifications/Email Alerts for

Default Enrolment Settings

Default Threshold

Top-ups and NETS purchases initiated via ATM card

Auto-enrolment

S$100 cumulative basis

Bill Payment and funds transfers initiated via ATM card

Auto-enrolment

S$100

Online Banking payments and transfers

Auto-enrolment

S$0.01

Debit/credit card transactions

Auto-enrolment

 S$500

Click here for other transaction alerts available.

ATM, debit/credit card transactions

The default alert threshold for local ATM and local/overseas debit/credit card transactions is S$100 and S$500 respectively. For overseas ATM cash withdrawals, the default alert threshold limit is S$1.00. You may choose to change the threshold to your preferred setting.

However, we recommend that you do not increase your threshold limit from the default limit. If you set it at a higher threshold than the default threshold limit, it will mean that you will not be notified of any transaction below the threshold limit that you’ve set. This may have an impact on your liability for losses arising from unauthorised transactions.

Online banking fund transfers and payments

For outgoing online banking fund transfers and payments, the default notification threshold limit is S$0.01. This threshold limit cannot be adjusted. We strongly encourage that you keep the transaction notification turned on at all times to monitor your transactions.

Channels for transaction notification

You may log in to OCBC Online Banking or OCBC app to select your preferred channel for transaction notifications via SMS, email or in-app/push notification on your mobile device.

For Sole Proprietors:

The default alert threshold for local ATM transactions is $1,000.

SMS/Email Alerts for Default Enrolment Settings Default Threshold
Cashcard top-ups, funds transfer, Bill Payment and NETS purchases initiated via ATM card As per indicated in the Corporate ATM SMS Alert setup/maintenance form S$1,000.00 cumulative basis
Online Banking payments and transfers Auto-enrolment for all online banking users based on contact details provided S$0.01
Card transaction*
- Debit card transactions		 Auto-enrolment based on the contact details provided in the Business Debit Card application S$1,000.00

For outgoing online banking fund transfers and payments, the default notification threshold limit is S$0.01. We strongly encourage that you keep the transaction notification turned on at all times to monitor your transactions.

You may log in to OCBC Business app to manage in-app/push notification on your mobile device for both incoming and outgoing transactions.

Where you have set thresholds for transaction notifications previously, those thresholds will continue to apply. Otherwise, the default threshold set by us will apply.

How will these notifications be sent?

Notification alerts may be sent via any of these channels:

Channels Individuals Sole Proprietors
SMS Yes Yes
Email Yes Yes
In-app/Push Notification Yes Yes

Do I need to enrol for these notification alerts?

For consumer banking customers, you are automatically enrolled for notification alerts of outgoing payment transactions initiated through electronic means and the money is received through electronic means, activation of digital security token and the conduct of high-risk activities.

For sole proprietor customers under business banking, you are automatically enrolled for notification alerts of outgoing payment transactions initiated through electronic means. You may choose to activate in-app/push notification on the OCBC Business app to receive notification alerts when money is received through electronic means.

Please update us with your* latest mobile number or email address to ensure that you receive the notification alerts.

* in the case of sole proprietors, the person appointed at point of application/maintenance.

Will I be charged for this service?

This service is currently free.

I am receiving too many notification alerts. How do I stop these notification alerts?

The notification alerts are a safeguard against unauthorised and erroneous transactions. There is a default threshold limit set for certain types of transactions. Based on your payment patterns, you may wish to adjust your notification thresholds so that you receive notification alerts that are most relevant to you. For instance, you may wish to be notified only if the transaction is above a certain amount.

What will happen to the existing notification thresholds that I have set previously?

Your existing notification thresholds will continue to apply and you may visit the notification settings to change it anytime.

How do I customise the alert settings?

For Individuals:

You may choose to customise the alert settings via OCBC Online Banking or OCBC app. For those alerts with selection of threshold limit available (such as ATM/card transactions), you can change the alert threshold to your preferred setting.

For more enquiries, please call 1800 363 3333 or visit any of our OCBC branches.

For Sole Proprietors:

How do I update my mobile phone number and email address?

To ensure you are kept informed of your account/transaction details, it is important for the Bank to be updated with your current mobile phone number and email address.

You may update your mobile phone number and email address via the following methods:

For Individuals:

You may choose to update your contact details via the following methods:

For Sole Proprietors:

What should I do if I receive a notification alert for a transaction that I do not recognise?

This could be an unauthorised/erroneous transaction and you should inform the Bank immediately. Refer to section “UNAUTHORISED ACTIVITIES” and “ERRONEOUS TRANSACTIONS” for more information on reporting channels.

Frequently asked questions of liability and reporting of erroneous/unauthorised transactions

If I report an unauthorised or erroneous transaction to my bank, when can I expect a resolution?

For unauthorised transactions

We should complete an investigation of any relevant claim within 21 business days for straight forward cases, and up to 45 business days for complex cases.

For erroneous transactions

The Bank will endeavour to make reasonable efforts and work with the financial institution of the transaction counterparty (if applicable) to assist recovery or return of the sum sent in error and update you of the outcome. Longer time may be taken for more complex cases. For avoidance of doubt, the Bank is not expected to resolve each erroneous transaction claim but to facilitate effective communication between the account holder and the recipient with the aim to improve account holder’s chances of recovering the payment amount sent through the erroneous transaction.

General

For erroneous/unauthorised transactions on credit cards, charge cards or debit cards, the dispute resolution process established under the respective card scheme will apply.

If I report an unauthorised transaction, am I still liable for the transaction?

You will not be liable for any loss that arises from any action or omission by us, if you have complied with your duties as an account holder.

Any action or omission by us includes the following:

  • fraud or negligence by the Bank, our employee, our agent or any outsourcing service provider contracted by the Bank to provide our services through the protected account;
  • non-compliance by the Bank or our employee with any requirement imposed by MAS on us in respect of our provision of any financial service;
  • non-compliance by the Bank with any duty set out in Section 4 of the Guidelines.

For losses due to any action or omission by any other independent third party other than us (including persons involved in any action or omission by us as specified above) and you, subject to the below and the loss not arising from any failure by you or any account user to comply with any applicable duties in the Guidelines, you will also not be liable for the first $1,000 of loss arising from an unauthorised transaction.

You will, however, be liable if it is ascertained that the primary cause for loss from an unauthorised transaction was recklessness on your part. Recklessness would include the situation where you or any account user deliberately did not comply with your duties under Section 3 of the Guidelines, of which we had provided a summary above. Examples of conduct that constitute recklessness and could lead to losses from unauthorised transactions include:

  • storing access code in a manner that can be easily accessed by any third party;
  • knowingly sharing or surrendering access codes to non-account users, resulting in completed transactions;
  • ignoring notifications, alerts or warnings from the Bank;
  • following instructions of third parties to open new bank or card accounts without a reasonable basis;
  • retaining sideloaded apps which are unverified or request device permissions that are unrelated to their intended functionalities

Your liability will be capped at the transaction limit or daily payment limit, where applicable.

In all cases, we will conduct an assessment to determine the appropriate liabilities and work towards a fair and reasonable resolution.

For transactions on credit cards, charge cards and debit cards issued in Singapore, the apportioning of liabilities is governed by the ABS Code of Consumer Banking Practice.

What should I do if I receive erroneously sent funds?

Please inform us as soon as possible. You may be facilitating criminal activities, such as money laundering and unlicensed money lending, if you knowingly receive money from strangers, dubious sources or other unverified sources. It is a criminal offence if your bank account is used to receive money linked to criminal activities or keeping erroneously sent funds.

Refer to section “ERRONEOUS TRANSACTIONS” for more information on reporting channels.

If I have sent funds erroneously to a wrong party, what should I do to get my money back?

Please contact us immediately to log your case. Reasonable efforts will be taken by us to recover the money sent, where possible. We and the receiving bank will facilitate communication between you and the recipient to help you recover the money that was sent wrongly.

Refer to section “ERRONEOUS TRANSACTIONS” for more information on reporting channels.

Our guarantee

What is our guarantee (for Personal Banking)?

If you fall prey to fraud and have played your part in protecting yourself from fraud (see below), we guarantee a full refund of any money that has been fraudulently transferred out of your account via OCBC Online Banking or the OCBC app (subject to our Terms and conditions governing Electronic Banking Services).

Our guarantee protects you if you had adopted the following measures:

  • You have kept your hardware token and OCBC OneToken secure at all times;
  • You have not shared your security details with anyone (these include your Access Code, PIN, One-Time passwords from SMS, email hardware token or OCBC OneToken);
  • You have equipped your computer or mobile device with the latest operating system security patches, anti-virus, anti-malware and firewall software. The installed software should be regularly updated to the latest version and run with latest signatures;
  • You have followed our recommendations on Safeguarding Your Internet Banking Access and complied with all your obligations under the Terms and conditions governing Electronic Banking Services and the Terms and conditions governing Deposit Accounts;
  • You have updated us immediately when there is a change in your contact details, such as mobile number and email address, for the purposes of receiving SMS or email notifications on online banking transactions and activities;
  • You have updated us immediately when you change your mobile number for receiving One-time Password (OTP) via SMS; and
  • You inform us immediately if:
    • You are aware of any suspected fraud, including any compromise or loss of your security device or security details;
    • You receive SMS, email or in-app/push notifications for transactions which you did not perform; or
    • You receive alerts notifying you of transactions* that you do not know of and/or did not make, and you provide us with your full cooperation (including providing all the information we request).

*i.e. Change in your daily withdrawal limit or addition of beneficiary/beneficiaries for funds transfer.

Terms and conditions

We hope that the information we provide will be useful to you. However, you are expected to be responsible for the security of your devices.

Personal and Premier Banking customersYour usage of our OCBC Electronic Banking Service is subject at all times to our Terms and conditions governing Electronic Banking Services and the Terms and conditions governing Deposit Accounts.

Business Banking customersYour usage of our OCBC Internet Banking Service known as OCBC Velocity is subject at all times to the Business Account terms and conditions.

Are you sure you want to leave our site?

You are leaving the OCBC Bank website and about to enter a third party website that OCBC Bank has no control over and is not responsible for. Before you proceed to use the third party website, please review the terms of use and privacy policy of their website. OCBC Bank’s Conditions of Access and Privacy and Security Policies do not apply at third party websites.
I would like to stayLeave website