MAS orders OCBC to hold additional $330m in regulatory capital over SMS phishing scams

MAS said OCBC is required to apply a multiplier of 1.3 times to its risk-weighted assets for operational risk. PHOTO: ST FILE

SINGAPORE - The Monetary Authority of Singapore (MAS) has imposed an additional capital requirement of about $330 million on OCBC Bank, for the "deficiencies" in the bank's response to spoofed SMS phishing scams in December 2021.

MAS said on Thursday (May 26) that OCBC is required to apply a multiplier of 1.3 times to its risk-weighted assets for operational risk.

A total of 790 people fell prey to phishing scams targeting the bank's customers, with losses tallied at $13.7 million. The bank had arranged for "full goodwill payouts" for those affected.

Thereafter, an independent review of the bank's systems and processes uncovered "deficiencies in... identified risks, pre- and post-transaction controls, incident management and complaints handling, resulting in delays in containment measures and customer response time", MAS said. These tallied with MAS' assessment and OCBC is in the process of addressing them.

The additional capital requirement imposed takes into consideration actions taken by the bank to improve its controls and how it resolves customer complaints following the incident.

MAS will review the additional capital requirement when it is satisfied that OCBC has addressed all the identified deficiencies.

MAS assistant managing director (banking and insurance) Marcus Lim said: "Financial institutions have a duty to put in place robust measures to prevent, detect and respond to scams. This means ensuring that their controls remain effective against evolving scam tactics, and prompt actions are taken as soon as a scam is detected.

"Consumers must also remain vigilant against persistent attempts by scammers to deceive them into divulging their log-in credentials or initiating transfers themselves. MAS is working closely with the industry and other agencies to further strengthen our collective defences against scams."

In a statement on Thursday, OCBC group chief executive Helen Wong said: "The SMS phishing attacks impersonating OCBC in December 2021 were unprecedented in that the tactics reached a level of realism not seen in previous phishing scams. While we took various actions in December to stem the scam, we should have responded faster and better to early signs of the attacks."

She added that an independent review concluded that there was no cyber attack on the bank's IT systems, nor were they breached, and that the bank has since implemented additional measures and will implement more, including those "jointly developed with the industry and the authorities".

Ms Wong also said MAS' requirement for an additional $330 million in regulatory capital "will not have any impact on our dividend policy".

Join ST's Telegram channel and get the latest breaking news delivered to you.