In a ministerial statement on 15 February 2022, Minister Lawrence Wong set out the key facts relating to the recent OCBC SMS phishing scam. He stated the expectations of MAS that banks have measures to secure the risk of digital banking, including that banks have to:

  • implement multi-factor authentication, such as dynamic passwords or OTPs that can only be used once, to verify the customer’s identity and to authorise online transactions;
  • maintain fraud monitoring systems to facilitate timely detection and blocking of suspicious transactions; and
  • send notification alerts to its customers for outgoing transactions, including credit card transactions, that exceed a threshold that customers can determine so that they can report unauthorised transactions as soon as possible.

After a supervisory review by MAS in October 2021 focused on the adequacy of fraud controls in the digital banking channels, the banks had committed to timelines to take remedial actions, with most measures to be fully implemented by June 2022, while those requiring extensive changes in IT systems were to be completed by December 2022 at the latest.

A set of additional measures were announced on 19 January 2022 for immediate implementation to bolster the security of digital banking against scammers employing similar tactics as the OCBC scam cases. The measures include:

  • removing clickable links in all bank emails and SMSes sent to retail customers;
  • delaying by at least 12 hours before a new soft token can be activated on a mobile device;
  • lowering to S$100 or below the default threshold for sending transaction notifications to customers;
  • sending a notification alert to the customer’s existing mobile number or email registered with the bank whenever there is a request for change;
  • sending scam alerts directly to customers through email or SMS; and
  • setting up dedicated call centre teams on a 24/7 basis to assist customers facing a potential scam, and to freeze compromised accounts immediately to prevent further illicit withdrawals.

MAS and the Association of Banks in Singapore are considering further measures outlined as follows:

  • Further strengthening fraud surveillance capabilities to identify suspicious and anomalous transactions.
  • Stepping up banks' ability to immediately block suspicious transactions and reach out to their customers to verify authenticity.
  • Introducing additional customer confirmations, not just notifications, for significant changes to their accounts or high-risk transactions.
  • Expanding use of biometric technology.
  • Accelerating the shift towards the use of mobile banking apps for customer authentication, transaction authorisation and delivery of bank notifications.

The Minister stated that MAS has set out expectations for banks to treat their customers fairly when looking into reports of fraudulent transactions. These include comprehensively investigating all cases and suspending late fees for disputed card transactions. Disputed transactions will not adversely affect consumers’ credit records with licensed credit bureaus during the investigation period.

The Minister stressed the importance of a common and equitable framework for sharing the losses incurred by the customer. He stated that "OCBC’s recent goodwill payouts to fully cover customer losses were made as a one-off gesture and do not set a general precedent for future cases."

The Payments Council chaired by MAS has been working on a framework for equitable sharing of losses arising from scams. Under this framework, both banks and their customers have their respective responsibilities and the share of losses each party bears will depend on whether and how the party has fallen short of its responsibilities. Financial institutions should bear an appropriate share of losses arising from scams, but care must also be taken to ensure that any compensation paid to customers does not weaken their incentive to be vigilant.

MAS aims to publish the framework for public consultation within the next three months.

The Minister concluded by emphasising that everyone needs to be on their guard -- "The problem of scams requires robust responses at the individual, industry, and infrastructure levels – in short, an ecosystem approach where the various measures work in synergistic fashion."

Read the full statement here.