39 parliamentary questions were posed in Parliament on Feb. 14, with regard to concerns arising from the recent OCBC phishing scams, where ultimately 790 customers lost S$13.7 million.
In response to these queries, three ministers representing the Monetary Authority of Singapore (MAS), the Ministry of Communications and Information (MCI) and the Ministry of Home Affairs (MHA) explained on Feb. 15 how the government will work with stakeholders in the ecosystem to counter the threat of phishing scams in a comprehensive manner to counter such scams.
Should have responded faster and more robustly at the start
Finance Minister Lawrence Wong, who is also the deputy chairman of MAS, rounded up the key facts regarding the OCBC phishing scams in his ministerial statement.
He described the incident as "the most serious phishing scam we have seen involving spoof SMSs impersonating banks" thus far.
Wong said that steps were taken by OCBC at various stages last December as the phishing scams built up, which include working with the police and cybersecurity agency to block and take down the scam websites and to stop sending SMS with clickable links.
However, Wong added that the bank should have "responded faster and more robustly" at the first sign of the scams.
The bank picked up the first sign of the phishing scams in early December and informed MAS on Dec. 24 that it had activated its incident response team.
The phishing scams built up in the month, and by then OCBC's call centre was "overwhelmed".
Banking system itself was not breached
"Despite the bank deploying additional resources, some affected customers experienced delays in reaching the bank to report the scams," Wong said in Parliament.
OCBC has apologised for falling short of its own expectations in customer service and response.
Wong emphasised that this is not a cyber attack on OCBC but a phishing scam, and "at no time was the bank's own system breached".
He also assured members of Parliament that digital banking itself remains "safe and secure".
Review process ongoing
OCBC has engaged an independent external party to review its anti-scam processes thoroughly and recommend necessary remedial actions.
Wong added that MAS will review these findings, take appropriate supervisory actions against the bank, and closely monitor the bank’s implementation of remedial measures.
OCBC's reimbursement efforts do not set precedent for future cases
The bank also reimbursed all affected customers in full as a one-off goodwill gesture.
As of Feb. 15, more than 90 per cent of these customers have received their reimbursement and the reimbursement will reach remaining customers soon.
Wong added that OCBC's goodwill gesture to compensate customers who were affected in these phishing scams "[does] not set a general precedent for future cases".
Framework for equitable sharing of losses arising from scams to be established
MAS has set up expectations for banks to treat their customers fairly when looking into reports of fraudulent transactions, Wong said.
Banks are expected to comprehensively investigate all cases and suspend late fees for disputed account transactions.
Disputed transactions will not adversely affect consumers credit records with licensed credit bureaus during the investigation period, Wong added.
A common and equitable framework for sharing the losses incurred by the customer from scams will be established.
"No matter which bank you go to you should still receive the same fair treatment," Wong said.
Framework to guide future cases
Under this framework, both banks and their customers have their respective responsibilities and the share of losses each party bears will depend on whether and how the party has fallen short of its responsibilities.
Financial institutions should bear an appropriate share of losses arising from scams, but care must also be taken to ensure that any compensation paid to customers does not weaken their incentive to be vigilant.
MAS aims to publish the framework for public consultation within the next three months.
Other than financial institutions, the players operating the communications infrastructure, play a key role in digital security against scams.
So MCI and MAS will consider the shared responsibilities of all the key players in the ecosystem to ensure there is proper accountability.
Follow and listen to our podcast here
Top image via gov.sg/YouTube and Marcus Woon/Google Maps