The Monetary Authority of Singapore has imposed an additional capital requirement of $330 million, on OCBC Bank over deficiencies in the bank’s response to a wave of spoofed SMS phishing scams last December.
The amount is based on a multiplier of 1.3 times of the bank’s risk-weighted assets for operational risk as at March 31.
This amount is a 0.21 percentage point impact on OCBC Bank’s Group capital ratios. There will not be any impact on its dividend policy.
According to MAS, the additional capital requirement imposed takes into consideration actions taken by OCBC to strengthen its controls and its approach to resolving customer complaints following the incident.
The additional capital requirement will be reviewed when MAS is satisfied that OCBC has addressed all deficiencies identified in the review.
“Financial institutions have a duty to put in place robust measures to prevent, detect and respond to scams,” says Marcus Lim, MAS’ assistant managing director (banking and insurance).
See also: SGX RegCo issues 'trade with caution' warning on karaoke chain 9R
“This means ensuring that their controls remain effective against evolving scam tactics, and prompt actions are taken as soon as a scam is detected,” he says.
“Consumers must also remain vigilant against persistent attempts by scammers to deceive them into divulging their log-in credentials or initiating transfers themselves. MAS is working closely with the industry and other agencies to further strengthen our collective defences against scams,” adds Lim.
According to MAS’ statement, following the scams, OCBC engaged an independent firm to review its systems and processes.
See also: SGX RegCo reprimands former directors and CEO of Sunrise Shares Holdings
Deficiencies were noted in the bank’s mitigation of identified risks, pre-and post-transaction controls, incident management and complaints handling, resulting in delays in containment measures and customer response time.
The deficiencies identified are in line with MAS’ assessment and the bank is in the process of addressing them.
“The SMS phishing attacks impersonating OCBC in December 2021 was unprecedented in that the tactics reached a level of realism not seen in previous phishing scams.
“While we took various actions in December to stem the scam, we should have responded faster and better to early signs of the attacks,” says OCBC’s group CEO Helen Wong.
Wong notes that there were no cyber attacks on the bank’s systems.
Even so, the bank has since then implemented and will implement additional measures, including those recommended by the consultant as well as the ones jointly developed with the industry and the authorities.
Wong reiterates that the bank has also made “goodwill payouts” to the victims, while also adding that “vigilance is a shared responsibility."