MAS hits OCBC with additional capital requirement of S$330 million over SMS phishing scam response

SINGAPORE — The Monetary Authority of Singapore (MAS) on Thursday (May 26) said it has imposed an additional capital requirement of S$330 million on OCBC Bank due to "deficiencies" in the bank’s handling of SMS phishing scams in December last year.

OCBC will be required to apply a multiplier of 1.3 times to its risk-weighted assets for operational risk, said MAS in a statement.

This translates to an additional amount of about S$330 million in regulatory capital, based on reported financial statements as at March 31, 2022, said MAS.

A higher capital requirement, according to Investopedia, may inhibit an institution’s ability to invest.

A total of S$13.7 million was lost in the spate of phishing scams that affected 790 customers, according to OCBC Bank in an update in January.

Following the scams, OCBC engaged an independent firm to review its systems and processes.

This uncovered "deficiencies... in the bank’s mitigation of identified risks, pre- and post-transaction controls, incident management and complaints handling, resulting in delays in containment measures and customer response time", said MAS.

These findings were in line with MAS' own assessment, said the regulator, adding that OCBC is in the process of addressing them.

The additional capital requirement takes into account OCBC's efforts to strengthen its controls and its approach to resolving customer complaints following the incident, said MAS.

The additional capital requirement will be reviewed when MAS is "satisfied that OCBC has addressed all deficiencies identified in the review", it added.

Mr Marcus Lim, MAS' assistant managing director (banking and insurance) said: “Financial institutions have a duty to put in place robust measures to prevent, detect and respond to scams.

"This means ensuring that their controls remain effective against evolving scam tactics, and prompt actions are taken as soon as a scam is detected.

"Consumers must also remain vigilant against persistent attempts by scammers to deceive them into divulging their log-in credentials or initiating transfers themselves."

He added that MAS is working closely with the industry and other agencies to further strengthen the sector's collective defences against scams. 

OCBC SHOULD HAVE RESPONDED BETTER, FASTER: CEO

In a statement issued shortly after MAS’ announcement, OCBC said the additional capital requirement would have a 0.21 per cent point impact on the group's capital ratios.

It added that this would have no impact on dividend policy.

CEO Helen Wong acknowledged that the bank “should have responded faster and better to early signs of the attacks”.

She said that as digital banking becomes “a way of life”, “scammers are using increasingly well-orchestrated tactics to convince, mislead and steal”.

“Therefore, the integrated defences that a bank must have in place to prevent, detect and respond to scams are expected by customers,” she added.

Victims of the scam had received “full goodwill payouts” from OCBC, in a move the bank described as a “one-off gesture” given the circumstances of the scam.

She said the phishing attacks were “unprecedented… the tactics reached a level of realism not seen in previous phishing scams”, but that the bank’s systems had not been breached.

The independent firm engaged to review the bank’s systems and processes also ruled out a cyberattack.

In the wake of the phishing scam, OCBC said it took several steps to address customer confidence. These include strengthening its existing fraud surveillance, prevention and controls, setting up a dedicated customer service hotline and care team for fraud victims, as well as ramping up customer communication about scam prevention.

The bank also rolled out a “kill switch” in February that would allow customers to freeze their bank accounts during emergencies.

“Even as vigilance is a shared responsibility with consumers, we are working with all parties in the ecosystem, including the telecommunication companies, the regulator and law enforcement agencies, to continuously assess and calibrate the anti-scam control measures for our digital banking channels,” said Ms Wong on Thursday. CNA