The Monetary Authority of Singapore (MAS) has imposed an additional capital requirement on OCBC Bank, in view of "deficiencies" in the bank’s response to a wave of spoofed SMS phishing scams, MAS said on May 26.
This means that OCBC will have to set aside approximately S$330 million in regulatory capital, or around 1.3 times its risk-weighted assets for operational risk.
MAS previously said in January this year that it was considering "supervisory actions" over the bank's handling of the case, as well as "broader issues relating to the incident".
Deficiencies in OCBC's systems and processes delayed containment measures, customer response time
MAS said that OCBC engaged an independent firm to review its systems and processes after the scams.
Deficiencies were noted in the following areas:
- The bank’s mitigation of identified risks
- Pre- and post-transaction controls
- Incident management and complaints handling
The deficiencies had the effect of delaying containment measures and customer response time, said MAS.
OCBC addressed MAS's supervisory action in a statement to the media on May 26.
Its Group CEO Helen Wong said the December 2021 phishing attacks were "unprecedented" as the scammers' tactics "reached a level of realism not seen in previous phishing scams".
Wong also said that OCBC took "various actions in December to stem the scam", but acknowledged that the bank "should have responded faster and better to early signs of the attacks".
Wong also shared some of the findings of its independent consultant, who reviewed the bank's anti-scam systems and processes as well as incident management and complaint handling. Wong said:
"It was concluded that there was no cyber attack on our IT systems. Neither were our systems breached. We have since implemented and will implement additional measures, including those recommended by the consultant as well as the ones jointly developed with the industry and the authorities."
OCBC said the new regulatory requirement would have a 0.21 percentage point impact on OCBC Bank’s Group capital ratios.
However, there will not be any impact on the bank's dividend policy, it added.
December 2021 phishing scams
The slew of phishing scam cases in December 2021 was first publicised by the bank on Dec. 29, 2021, with 469 customers affected.
OCBC eventually made goodwill payouts of S$13.7 million to nearly 800 victims, as more came forward in early 2022.
Top image via Wikipedia