Banks to review use of SMS for OTPs, further strengthen fraud surveillance: Lawrence Wong

MAS and the banks may introduce additional customer confirmation requirements for significant changes to accounts or high-risk transactions. PHOTO: ST FILE

SINGAPORE - Banks will accelerate their shift towards the use of mobile banking apps to authenticate customers, authorise transactions and send alerts to customers as part of a multi-pronged effort to thwart scams, said Monetary Authority of Singapore (MAS) deputy chairman Lawrence Wong on Tuesday (Feb 15).

It will be harder for scammers to abuse the apps if the technology is implemented well, he said in Parliament, addressing some of the 39 parliamentary questions arising from the recent OCBC Bank phishing scams.

The questions ranged from whether banks can do more to mitigate fraud risks to how the telco infrastructure can be enhanced.

"The breadth of the issues raised underscore that we need to take an ecosystem approach to strengthen our collective defence against phishing scams, and scams in general," he said. "Everyone in this ecosystem must play their part."

Detailing what the MAS and retail banks will do to bolster the security of digital banking, Mr Wong said the use of SMS to deliver one-time passwords (OTPs) is under review. If SMS should continue to be used, banks will explore new risk mitigation measures.

Banks are also exploring how to expand the use of biometric technology, in addition to passwords and OTPs, as a means of authentication. This will add another layer of security that cannot be easily phished by scammers to access a customer's account, he added.

Other new measures include further strengthening fraud surveillance to identify suspicious and anomalous transactions.

"Most banks do have some rule-based parameters to trigger suspicion - for example, large transfers to a new recipient. But these parameters need to be expanded to take account of a broader range of scam scenarios," said Mr Wong, adding that the enhanced capabilities will also allow banks to detect suspicious credit card transactions.

He added that MAS will expect banks to develop more versatile algorithms that use artificial intelligence and machine learning to detect suspicious transactions.

"Such algorithms should be based on multiple sources of information, including customer profile and vulnerabilities, past transaction patterns, account activity and mobile device identification," said Mr Wong, who is also Finance Minister.

Banks should also step up their ability to immediately block suspicious transactions and contact their customers to verify their authenticity, he said.

The transactions will be processed only upon confirmation by the customer.

"Banks today do have some of these capabilities, but they are not consistent across various types of transactions. We are also looking into enabling customers to trigger a freeze on their own accounts without having to contact the banks if they suspect their accounts have been compromised," he added.

Furthermore, MAS and the banks may introduce additional customer confirmation requirements, and not just notifications, for significant changes to customers' accounts or high-risk transactions.

These include changes in account holder details, activating a token on another device, fund transfers that are large relative to their overall balances and overseas transfers.

"This will introduce some friction to customers carrying out genuine transactions. But we will all need to adapt and get used to these inconveniences in order to strengthen the security of digital banking," said Mr Wong.

A total of 790 people fell prey to phishing scams targeting OCBC customers, with losses tallied at $13.7 million. Victims lost most of the sums during the year-end festive period from Dec 23 to Dec 30. The bank said it would reimburse all customers affected by the scam as a one-off gesture of goodwill.

More than 90 per cent of the affected customers have been reimbursed, and the remaining reimbursements should be disbursed soon, said Mr Wong on Tuesday.

Noting there is no single measure that can guarantee the security of digital banking, he added: "The techniques employed by scammers are constantly evolving and gaining in sophistication. This is why in the fight against scams, banks need to employ a combination of measures in prevention, detection, response and recovery, and constantly review and recalibrate these measures."

It is also not possible to eliminate such scams completely, he said.

He added that MAS requires banks to treat their customers fairly when looking into reports of fraudulent transactions.

"These include comprehensively investigating all cases and suspending late fees for disputed card transactions. Disputed transactions will not adversely affect consumers' credit records with licensed credit bureaus during the investigation period."

These efforts are on top of banking measures announced last month in the wake of the scams, including removing clickable links in SMSes or e-mails sent to retail customers, and having a cooling-off period before implementing requests for key account changes.

Earlier this month, MAS said it would seek public feedback on a framework that outlines how losses from scams are to be shared among consumers, financial institutions and other key parties involved. It aims to publish the framework for public consultation within the next three months.

On Tuesday, Mr Wong said communications infrastructure operators also play a key role in digital security against scams, and the authorities will consider how these operators could share some responsibility.

"Financial institutions should bear an appropriate share of losses arising from scams, but care must also be taken to ensure that any compensation paid to customers does not weaken their incentive to be vigilant," he added.

Dr Tan Wu Meng (Jurong GRC) asked whether the framework will differentiate between a “forced error”, such as when customers are pressured into falling prey to scams, and any “unforced” mistakes that they may make.

He also asked if there is a need for “white hat scammers” – those whose jobs will be to test banks’ procedures for vulnerabilities – to safeguard customers against future scams.

Mr Wong said in response that the framework should be consistent across the entire industry, and equitable in determining how losses should be shared.

“We intend to be quite clear and specific about what these responsibilities are for financial institutions and customers, and what each party is expected to do to prevent scams.

“Then, the share of losses each party bears will depend on whether and how the party has fallen short of these very clearly stated responsibilities,” he added.

Ms Foo Mee Har (West Coast GRC) asked how the MAS fares in its anti-scam controls compared with regulators in other jurisdictions, and if the central bank will impose minimum standards for banks’ fraud surveillance systems.

Mr Wong replied that MAS has gone beyond the usual practices of financial regulators in major jurisdictions, who do not prescribe specific anti-scam controls but set out broad expectations for the banks.

The regulators then assess the adequacy of these measures and impose penalties if the banks fall short of expectations, he added.

He also reiterated that under the framework, financial institutions should bear their share of losses if they fall short of their responsibilities.

Mr Ang Wei Neng (West Coast GRC) asked whether customers can choose not to allow overseas transfers by default unless they authorise the transactions via two-step authentication.

He also asked if banks can deactivate all overseas transfers for a short period amid a surge in scams.

Mr Wong reiterated that MAS may introduce additional customer confirmation requirements for high-risk transactions, including overseas transfers, and banks have implemented cooling off periods.

“We’ll continue to look at how these measures and safeguards can be strengthened.”

Join ST's WhatsApp Channel and get the latest news and must-reads.