Much of the conversation about financial crime in Singapore thus far has focused on the risks posed to customers, and indeed, they are the one who usually suffer most immediately, even if insurance may in some cases help offset their losses. Yet there is a significant financial and reputation risk to banks as well. Indeed, the greatest asset that banks have is customer trust. For incumbent banks, this is the most important factor that differentiates them from tech-savvy but unproven digital competitors. Banks perceived to be incapable of protecting customers from the fast-evolving financial crime threat will be at a significant disadvantage in the months and years to come.
On January 30, OCBC said that a total of S$13.7 million was lost in the recent slew of phishing scams. That compares to an earlier estimate of S$8.5 million reported in December. According to an investigation, victims of the scammers provided their online banking log-in credentials and one-time PINs to phishing websites. The criminals then took control of the customers’ accounts and made fraudulent transactions.
Could this have been prevented? To be sure, some people are more gullible than others. Cybercriminals are also intractable. But there is much that banks can do to bulwark their digital infrastructure, stay alert for suspicious activity and educate customers about the threat posed by online financial crime.
OCBC conceded in a statement that its “customer service and response fell short of our own expectations, that could have affected loss mitigation in some of the cases.” With that in mind, it is heartening to hear that the bank has decided to compensate the scam victims in full, which OCBC describes as “as a one-off gesture of goodwill given the circumstances of this scam.”
Looking ahead, new measures announced by the Monetary Authority of Singapore (MAS) to boost digital security for banks may help reduce the likelihood of future incidents of this nature. Per the new measures, there will no longer be clickable links in SMSes or emails sent to customers, a default threshold of S$100 or lower for funds transfer transaction notifications will be set and there will be a delay of at least 12 hours before the activation of a new soft token on a mobile device.
“The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months,” the MAS and the Association of Banks in Singapore (ABS) said in a statement.