Oversea-Chinese Banking Corporation (OCBC), a Singaporean multinational banking and financial services corporation, has been asked to reserve an additional US $240 million after its customers were targeted by a major phishing scam.
It’s thought that at least 790 customers lost a combined SG $13.7 million (US 10.0 million) in the SMS phishing scam last December.
The bank says it has since made goodwill payouts covering all losses to all affected customers.
But the Monetary Authority of Singapore (MAS) has now opted to impose an additional capital requirement, due to what it sees as “deficiencies” in the bank’s response to the scam.
Accordingly OCBC is required to apply a multiplier of 1.3 times to its risk-weighted assets for operational risk, which translates to an additional amount of approximately SG $330 million (US $240 million in regulatory capital.
Following the scams, OCBC engaged an independent firm to review its systems and processes, and MAS notes that “deficiencies” were found in the bank’s mitigation of identified risks, pre- and post-transaction controls, incident management and complaints handling, resulting in delays in containment measures and customer response time.
The deficiencies identified are in line with MAS’ assessment and the bank is in the process of addressing them.
“The additional capital requirement imposed takes into consideration actions taken by OCBC to strengthen its controls and its approach to resolving customer complaints following the incident,” the regulator said.
It added that the additional capital requirement will be reviewed when MAS is satisfied that OCBC has addressed all deficiencies identified in the review.
“Financial institutions have a duty to put in place robust measures to prevent, detect and respond to scams,” said Marcus Lim, Assistant Managing Director (Banking and Insurance), MAS.
“This means ensuring that their controls remain effective against evolving scam tactics, and prompt actions are taken as soon as a scam is detected,” he continued.
“Consumers must also remain vigilant against persistent attempts by scammers to deceive them into divulging their log-in credentials or initiating transfers themselves. MAS is working closely with the industry and other agencies to further strengthen our collective defences against scams.”
OCBC Group CEO Helen Wong also commented on the scamming incident: “The SMS phishing attacks impersonating OCBC in December 2021 was unprecedented in that the tactics reached a level of realism not seen in previous phishing scams.”
“While we took various actions in December to stem the scam, we should have responded faster and better to early signs of the attacks,” she said.