The Monetary Authority of Singapore (MAS) has imposed an additional capital requirement of approximately S$330 million on OCBC Bank (OCBC) due to the bank’s inadequate response to a series of spoofed SMS phishing scams that occurred in December 2021.
During this incident, nearly 470 customers lost at least $8.5 million as scammers impersonated OCBC, sending SMS messages that included links to phishing websites. In response to these scams, OCBC hired an independent firm to review its systems and processes. The review highlighted deficiencies in the bank’s risk mitigation strategies, oversight of transactions, incident management, and handling of customer complaints, which contributed to delays in both containment measures and customer response times.
Marcus Lim, assistant managing director at MAS, emphasized that financial institutions have a responsibility to implement robust measures to prevent, detect, and respond to scams. He noted the importance of adapting controls to counter evolving tactics and taking prompt action when a scam is detected. He also urged consumers to stay vigilant against ongoing attempts by scammers to deceive them into revealing their credentials or initiating unauthorized transfers. MAS is collaborating with the industry and other agencies to enhance collective defenses against such threats.
As part of its initiative to combat scams, MAS has pushed banks to adopt more proactive measures. This includes banning clickable links in emails and SMS messages and setting a default threshold of $100 or lower for transaction notifications to customers. Additionally, there will be a mandatory delay of at least 12 hours before the activation of a new soft token on mobile devices. Customers will also receive notifications sent to their registered mobile numbers or emails whenever they request a change of contact details.
OCBC has started providing goodwill payouts to victims of the scams and has introduced a “kill switch” that allows customers to immediately freeze their current and savings accounts during emergencies.
OCBC Group CEO Helen Wong remarked on the challenges posed by digital banking, stating that scammers are employing increasingly sophisticated tactics to mislead and steal from customers. She acknowledged that the SMS phishing attacks impersonating OCBC in December 2021 were unprecedented due to their high level of realism. While the bank took various actions during the incident, Wong admitted that the response could have been faster and more effective in addressing early signs of the attacks.
In a related development, the Monetary Authority of Singapore raised capital requirements for DBS Bank by S$930 million following a significant disruption in the bank’s digital services in November.