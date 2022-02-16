Banks will accelerate their shift towards the use of mobile banking apps to authenticate customers, authorise transactions and send alerts to customers as part of a multi-pronged effort to thwart scams, said Monetary Authority of Singapore (MAS) deputy chairman Lawrence Wong yesterday.

Scammers will have trouble abusing the apps if the technology is implemented well, he told Parliament, in answer to some of the 39 parliamentary questions about the recent phishing scams targeting OCBC Bank.

Mr Wong, who is Finance Minister, said the issue was so broad it needed an "ecosystem approach" to bolster the collective defence against phishing and other scams, with everyone playing their part.

To bolster the security of digital banking, Mr Wong said the use of SMS to deliver one-time passwords (OTPs) is under review.

Banks are also exploring how to expand the use of biometric technology in addition to passwords and OTPs as a means of authentication. This will add another layer of security that cannot be easily phished by scammers to access a customer's account, he added.

Other new measures include strengthening fraud surveillance to identify suspicious transactions.

"Most banks do have some rule-based parameters to trigger suspicion - for example, large transfers to a new recipient. But these parameters need to be expanded to take account of a broader range of scam scenarios," said Mr Wong, adding that the enhanced capabilities will also allow banks to detect suspicious credit card transactions.

He added that MAS will expect banks to develop more versatile algorithms that use artificial intelligence and machine learning to detect suspicious transactions. These should be based on multiple sources of information, including customer profile, past transaction patterns, account activity and mobile device identification. Banks should also improve their ability to immediately block suspicious transactions and contact their customers to verify their authenticity before processing them, said Mr Wong.

"Banks today do have some of these capabilities, but they are not consistent across various types of transactions. We are also looking into enabling customers to trigger a freeze on their own accounts without having to contact the banks if they suspect their accounts have been compromised," he added.

MAS and the banks may also introduce additional customer confirmation requirements, and not just notifications, for significant changes to customers' accounts or high-risk transactions. "This will introduce some friction to customers carrying out genuine transactions. But we will all need to adapt and get used to these inconveniences in order to strengthen the security of digital banking," said Mr Wong.

A total of 790 people lost money in phishing scams targeting OCBC customers, for a total of $13.7 million. More than 90 per cent of those affected have been reimbursed, and the remaining reimbursements should be disbursed soon, said Mr Wong yesterday.

Noting no single measure can guarantee the security of digital banking, he said the techniques used by scammers are constantly evolving and gaining in sophistication. To fight them, banks need a combination of measures.

He also said MAS requires banks to treat their customers fairly when looking into reports of fraud.

"These include comprehensively investigating all cases and suspending late fees for disputed card transactions. Disputed transactions will not adversely affect consumers' credit records with licensed credit bureaus during the investigation."

These efforts are on top of banking measures announced last month in the wake of the scams, including removing clickable links in SMSes or e-mails sent to retail customers, and having a cooling-off period before implementing requests for key account changes.

Earlier this month, MAS said it would seek public feedback on a framework that outlines how losses from scams are to be shared among consumers, financial institutions and other key parties. It will publish the framework for public consultation within three months.

Mr Wong said communications infrastructure operators like telcos also play a key role in digital security against scams, and the authorities will consider how they could share some responsibility.

Dr Tan Wu Meng (Jurong GRC) asked whether the framework will differentiate between a "forced error", such as when customers are pressured into falling prey to scams, and any "unforced" mistakes that they may make.

Mr Wong said in response that the framework should be consistent across the entire industry, and equitable in determining how losses should be shared.

"We intend to be quite clear and specific about what these responsibilities are for financial institutions and customers, and what each party is expected to do to prevent scams," he said. "Then, the share of losses each party bears will depend on whether and how the party has fallen short of these very clearly stated responsibilities."

Ms Foo Mee Har (West Coast GRC) asked how the MAS fares in its anti-scam controls compared with regulators in other jurisdictions, and if the central bank will impose minimum standards for banks' fraud surveillance systems.

Mr Wong replied that MAS has gone beyond the usual practices of financial regulators in major jurisdictions, which do not prescribe specific anti-scam controls but set out broad expectations for banks.

Mr Ang Wei Neng (West Coast GRC) asked whether customers can choose not to allow overseas transfers by default unless they authorise the transactions via two-step authentication. He also asked if banks can deactivate all overseas transfers for a short period amid a surge in scams.

Mr Wong said MAS may introduce additional customer confirmation requirements for high-risk transactions, including overseas transfers, and banks have implemented cooling-off periods.