MAS draws up framework for equitable sharing of scam losses
In the wake of the OCBC phishing scams and the compensation made by the bank to all affected customers, MAS decided that the industry should have a more equitable framework for sharing such losses.
- MAS is working with banking industry to enhance cybersecurity
- 790 OCBC customers lost about $10 million (SGD 13.7 million) in phishing scams
- Enhanced measures needed as digital banking services become more prevalent
The Monetary Authority of Singapore (MAS) announced it is working with the banking industry on long-term measures to enhance the security of digital banking. It is also developing a framework for equitable sharing of losses which arise from scams.
The move is expected to improve transparency and strengthen consumer confidence, especially with the large number of digital financial services in the country.
MAS is working with banking industry to enhance cybersecurity
Under the framework, banks and financial institutions are responsible for protecting their consumers through robust controls to safeguard customer accounts and measures to detect suspicious transactions. Consumers also have the responsibility to take necessary precautions, including not giving away their personal or banking credentials to others, avoiding suspicious links in SMS or emails, and transacting only through the bank’s official website or mobile application. The proportion of losses each party bears will depend on how they have fallen short of their responsibilities.
MAS emphasised that OCBC’s recent goodwill payouts to fully cover customer losses were a one-off gesture based on consideration of how the bank had not met its own expectations of customer service and response. They do not set a general precedent for future cases.
It expects “financial institutions to treat customers fairly and bear an appropriate proportion of losses arising from scams. At the same time, care must be taken to ensure that compensation paid to customers does not weaken their incentive for all to be vigilant”.
The central bank aims to publish the framework for public consultation in three months, and will also cover the responsibilities of other key parties in the ecosystem.
790 OCBC customers lost about $10 million (SGD 13.7 million) in phishing scams
In January 2022, OCBC, the county’s second largest bank, reported that $10 million (SGD 13.7 million) were lost in a series of year-end phishing scams, up from the $6.3 million (SGD 8.5 million) it had initially cited. The number of affected customers grew to 790, from 469 as more victims came forward. OCBC explained that victims who fell prey had provided their online banking log-in credentials and one-time PINs to phishing websites, thereby enabling the scammers to take over their bank accounts and make fraudulent transactions.
Victims lost about 80% of the total amount from 23 to 30 December 2021. The number of calls made to the bank grew 40% during the period.
The Singapore police reported that in 2021, there were 8,403 cases of scams, up 16%. In the first six months, loan scams grew to 1,243 cases, up 55%, investment scams reached 1,051 cases, up by 200%. However, e-commerce related scams fell to 1,141 cases, down by 38% and banking related phishing totalled 535, down by 40%.
Bank customers who fall prey to phishing scams will usually bear the loss from transactions that they authorise, especially if there are no lapses within the bank’s cybersecurity and IT systems. Customers must promptly submit a fraudulent report and fund a recall request with the bank. The ability to recall the funds is dependent on the response of the receiving bank. Banks can also immediately disable online banking access and cards to prevent scammers from carrying out further fraudulent transactions.
Bryan Tan, a lawyer at the Pinsent Masons remarked, “In a strict legal point of view, customers have an uphill battle as they have little knowledge of bank’s processes nor the resources of a bank. Thankfully, MAS is drawing up a framework for an equitable allocation of losses.”
Police can also issue an order to freeze the recipient account to prevent any dissipation of funds in cases where the transaction involves a local bank account. The chances to recover funds transferred to an overseas bank account are usually slim, although police will work with international partners to track the transactions.
Banks will usually complete an investigation of an unauthorised and fraudulent transaction within 21 business days for straightforward cases, and 45 business days for complex ones. In 2018, MAS issued the e-Payment User Protection Guidelines. The guidelines set out the responsibilities of banks such as providing real-time transaction notifications and a reporting channel. Customers are also expected to take reasonable measures to protect their interest such as following security practices protecting their devices, login credentials, and access codes.
On OCBC’s goodwill payout, Tan shared, “The precedent value is low as goodwill is a concept only recognised by the bank in this particular issue and in the future.”
DBS Group (DBS) warned its customers about the SMS phishing scam. The bank said in an alert on its website that those targeted will receive a suspicious SMS claiming their account has been suspended. Victims will then be directed to verify their details by logging into a phishing website. UOB Group (UOB) also warns its customers about the latest online threat.
Enhanced measures needed as digital banking services become more prevalent
Public health restrictions caused by the pandemic have accelerated the uptake of digital banking services among the population already engaged with traditional banks. In 2020, Singapore approved four digital banking licences to the Grab-Singtel consortium, Sea Group, Ant Group and a consortium led by Chinese real estate developer Greenland Financial Holdings.
Digital banks are also being rapidly launched in the region. In 2021, the Philippines approved six digital banking licences to Overseas Filipino Bank, Gotyme, PayMaya, UnoBank, Tonik, and UnionBank.
In 2020, Hong Kong licensed eight new virtual banks, namely Airstar Bank, Ant Bank, Livi Bank, Fusion Bank, Mox Bank, Ping An OneConnect Bank, WeLab Bank, and ZA Bank. Indonesia is currently home to a number of new and prospective digital banks and digital banking services such as BCA’s Blu, BTPN’s Jenius, Bank Jago, MNC Bank’s MotionBanking, Bank Aladin, Bank Bukopin’s Wokee, DBS’ Digibank, and UOB’s TMRW.
Vietnam has currently five digital banks such as Timo Bank, TNEX, Übank, NEEBank, and Livebank by TPBank. Taiwan issued digital banking licences to three recipients such as LINE Financial Taiwan, Rakuten International Commercial Bank and Next Commercial Bank., They join the digital offering of incumbents such as Richart by Taishin Bank, and KOKO of Cathay United Bank.
The rapid rise of digital payments with the entrance of digital banks as new contenders across Asia will likely cause an increase in digital frauds. Hence, it is necessary and timely for regulators and financial institutions to increase efforts to raise consumer awareness, educate them on preventive and mitigating measures, and in cases where fraud occurs a fair system of sharing the loss
Keywords: Digital Banks, Phishing Scams, Risk, Security, Framework, Economic Cooperation Framework Agreement
Region: Southeast Asia