SINGAPORE, Jan 21 — OCBC bank's move to fully reimburse all its customers who were victims of a recent SMS phishing scam should not set a precedent for the banking industry, professionals in business, law and cybersecurity sectors said.
They suggested instead that banks and the authorities could work together to come up with broad guidelines that set out the specific situations or parameters where reimbursements should be given to scam victims.
Emily Lai, business risk partner at advisory firm Grant Thornton Singapore, said that there should not be an industry-wide guarantee to bank customers that would cover all potential scams and frauds, especially those arising from their own ignorance, negligence or carelessness.
“Otherwise, the customers may let down their guards and not remain vigilant or cautious of such fraudulent activities.”
Lim Yihao, head of intelligence for Asia Pacific at cybersecurity firm Mandiant, said that setting up such a guarantee could send a wrong signal and may even encourage more cases of fraud to occur.
“It’s similar to how cyber criminals already check if victims are covered by cyber insurance before attacking. Having a guarantee might encourage cyber criminals to target Singapore banks customers more, since consumers are not so concerned about clicking on fraud SMS messages or emails, et cetera, knowing that they will get their money back regardless.
“This could lead to more careless behaviour from consumers with respect to phishing email or SMS messages they receive,” Lim added.
OCBC said on Wednesday (January 19) that it will be making arrangements with all customers who were victims of a recent scam to fully reimburse them by next week for the money they lost.
At least 469 customers were affected by the SMS phishing scam, with losses totalling at least S$8.5 million.
Swindlers had sent out fake bank alerts that spoofed the bank's official SMS channel, duping many of the victims into giving up their personal account information last month.
Several victims told TODAY about their shock and distress over the incidents that happened during the year-end holiday period.
The analysts who spoke to TODAY yesterday believe that there should not be an industry-wide guarantee of reimbursement after a scam.
However, they recognised that OCBC's move might push other banks to follow suit since people might expect the same thing if caught in the same situation.
Jonathan Crompton, partner at RPC law firm, said that customers are looking to their banks for protection.
“Even without a significant legal and regulatory change, if a bank can gain a competitive advantage here commercially, this may be a factor for customers to switch,” he said.
Lai of Grant Thornton Singapore said that expecting all other banks to copy OCBC's move to fully reimburse their customers is a dangerous mindset, since people may subconsciously be less mindful and stop being vigilant.
“It is extremely vital and of utmost importance that customers be ingrained to always remember that banks do not owe customers reimbursements for the lost or stolen money in situations where it is the customers’ own ignorance, negligence or carelessness,” she added.
Setting up industry standards
Though banks are generally not legally obligated to reimburse their customers, the analysts said that the various players as well as government authorities could get together to work out certain industry standards on whether banks should reimburse their customers who have been cheated and the amount to be repaid.
Lai said that reimbursements should only be done when the scam was due to a breach in cybersecurity controls or internal lapses of a bank.
There may, however, be exceptions in cases where victims were unable to reach the banks in time to block, cancel or void the transactions due to the bank’s slow customer service, or when the bank's internal controls are inadequate to prevent such scam tactics.
“The banks should be required to take some accountability and consider providing contingent reimbursements.
“This would be done by assessing the reasonable steps a victim is expected to take when faced with a scam and whether immediate correction action have been taken.
“Another thing to assess is the amount of reimbursements that should be given, considering the banks' expected duty of care towards the affected victims,” she added.
Lai also said that the industry can refer to some standards already put up in the United Kingdom, where the reimbursement process is assessed on a case-by-case basis.
“For instance, when scams arise because of a lapse — even a momentarily lapse — in the (bank’s) cybersecurity, internal controls or safeguards and features… reimbursements should be made to the affected victims in whole, based on the affected facility.
“Whereas in instances when scams occur due to one’s ignorance, fraudulent or negligent actions, like sharing bank tokens, ATM cards, personal identification number (PIN) and passwords knowingly to another person, then the onus should not be on the banks to reimburse the affected victims for the lost money,” she added.
For Lim of Mandiant, trying to define the various specific situations where victims can be compensated is limiting because scam situations change — and quite quickly at that.
Instead, he suggested that the Monetary Authority of Singapore (MAS) and the banks consider compensation only in instances when victims have been cheated without any input on their end, and when there was nothing they could have done to prevent it.
One example is when criminals impersonate victims to socially engineer telecommunication firms to change SIM cards for phones and get one-time password notifications to be re-directed to the new SIM card.
Terence Siau, chief executive office of cybersecurity firm Tindo, said that recommending a list of actions that banks should take within a given timeframe the moment they notice abnormal transactions would reduce risks and the amount of money lost to scammers.
And banks that manage to follow this set of actions may not be liable for compensation, while those that do not follow may have to make repayments.
Siau also said that there is no way scams can be prevented, so coming up with guidelines that involves early detection is key.
Although Crompton the lawyer agrees that an industry standard is a useful starting point for a bank's internal team to deal with customer complaints, he noted that scams are complex and varied and it would be very difficult for an industry-wide standard to cover every situation.
“Victim customers are unlikely to be placated by a bank not compensating the loss and giving the reason that it is complying with the industry standard,” he said.
“Customers will continue to take legal action when they think a bank failed to meet its legal obligations, and the common law will continue to develop in this area.”
With or without such industry guidelines, Crompton said that banks should maintain their own internal policies of how to handle fraud complaints and requests for compensation, as well as to ensure that they handle them quickly and in a consistent manner. ― TODAY
