UPDATE: OCBC required to hold additional capital after phishing scam response

OCBC building in Signapore’s central business districtOCBC building in Signapore’s central business district. Photo taken pre-Covid.

This item was originally published on Thursday, 26 May  at 23:03 SGT; it has since been updated to include comments from OCBC CEO Helen Wong.

The Monetary Authority of Singapore (MAS) has imposed additional capital requirements on OCBC Bank after its spotty response to phishing scams in December.

OCBC will be required to hold around S$330 million (US$240.01 million) in additional capital, or a multiplier of 1.3 times its risk-weighted assets, Singapore’s central bank said, citing deficiencies in the bank’s response to a spate spoofed phishing scams.

Marcus Lim, assistant managing director for banking and insurance at MAS, said financial institutions have a duty to have robust measures to deal with scams.

“This means ensuring that their controls remain effective against evolving scam tactics, and prompt actions are taken as soon as a scam is detected,’ Lim said in the statement on the MAS’ website. “MAS is working closely with the industry and other agencies to further strengthen our collective defences against scams.”

In January, OCBC said it lost S$13.7 million in the scams, with around 790 victims. The bank came under criticism for what was seen as a slow response, and later agreed to make one-time restitution to the victims.

The scams were unusually sophisticated as SMS messages were sent to victims from a spoofed phone number matching the bank’s usual communications channels. The messages claimed there were issues with the victims’ bank accounts and provided a link to a fake website closely resembling OCBC’s site; victims were then directed to provide login details. In February, the Singapore Police Force (SPF) arrested 13 people for suspected involvement, and SPF said earlier this year it was working with Interpol and foreign law enforcement agencies to investigate overseas beneficiaries of the funds and website hosts.

OCBC CEO Helen Wong noted the December phishing attacks “reached a level of realism not seen in previous phishing scams.”

“While we took various actions in December to stem the scam, we should have responded faster and better to early signs of the attacks,” Wong said in a statement. She noted there was no cyberattack on the bank’s systems, which were not breached.

“The one-off gesture of goodwill payouts to victims of the scam was the right thing to do given the circumstances at that time,” Wong said. “Even as vigilance is a shared responsibility with consumers, we are working with all parties in the eco-system, including the telecommunication companies, the regulator and law enforcement agencies, to continuously assess and calibrate the anti-scam control measures for our digital banking channels.”

The MAS noted that after the wave of scams, OCBC engaged an independent firm to review its systems.

“Deficiencies were noted in the bank’s mitigation of identified risks, pre- and post-transaction controls, incident management and complaints handling, resulting in delays in containment measures and customer response time,” the MAS said.

The central bank said the deficiencies in the independent review were in line with its own assessment, with OCBC in the process of addressing the issues.