SINGAPORE: OCBC’s decision to give "goodwill payouts" to customers hit by an SMS phishing scam was not surprising given the public attention on the incident, lawyers said, but the move is unlikely to set a precedent for future cases.
All affected OCBC customers – at least 469 victims who lost a total of S$8.5 million, according to the police – will receive full payouts covering the money they lost, the bank said on Wednesday (Jan 19).
But victims who have been misled into giving their banking details to scammers are often responsible for the money lost, especially if there are no lapses within the bank's internal and IT systems, legal experts said.
In the case of OCBC, the provision of banking passwords by customers to the crooks "would have been the initial trigger", said Mr Bryan Tan, partner at law firm Pinsent Masons. "The legal position is still the same."
"However as a goodwill measure, (which) means that despite the legal position, OCBC is making the payments on a goodwill basis and without assuming responsibility, which as pointed out, is more difficult to prove."
Similarly unsurprised, Associate Professor Christian Hofmann, deputy director at the National University of Singapore's (NUS) Centre for Asian Legal Studies, agreed that the bank's decision is one of "goodwill" and possibly spurred by the intention to maintain its reputation and scrutiny from authorities.
"This is a pretty high-profile incident and as such, the bank is under pressure and MAS (Monetary Authority of Singapore) has already announced that it will look into the security technology that OCBC applied in order to protect its customers from exactly this kind of scam attack," said Assoc Prof Hofmann.
However, the OCBC payout is unlikely to set a precedent and customers should not be lulled into a false sense of security, lawyer Amolat Singh said.
The payout means that OCBC acknowledges the modus operandi must have been so unique that nobody could have thought about it, and so it is willing to compensate customers' losses, he said.
"Some members of the public or customers of the bank may become a little bit more careless, thinking that it's a safety net, so steps should be taken to disabuse people of this wrong notion and emphasise very clearly that this is perhaps a one-off payout done on a goodwill basis.
"That should also then serve as a warning to the rest that these things can happen in this manner, but it doesn't mean that the bank will be like Santa Claus, always ready and willing to compensate the person whenever he loses money," he added.
The nearly 470 OCBC customers who were scammed received unsolicited SMSes that claimed there were issues with their banking accounts.
The text message directed them to click on a link to resolve the issue. This led to a fake OCBC website where victims keyed in their Internet banking log-in details, allowing the scammers to gain control of their account.
Mr Steven Lam, a director at Templars Law, said a bank's responsibility to customers is typically spelt out in the terms of contract – such as the services it provides and what it needs to do to protect and ensure the interests of customers.
These contractual terms, however, tend to be biased against customers, making it "practically impossible" for scam victims to come up with a serious defence to prove that they were not liable for the losses, said Assoc Prof Hofmann.
"If you look at the current terms and conditions set by banks, customers are burdened with a whole lot of obligations and duties, but what's really missing is a clear rule on what is required for gross negligent breach of these obligations," he added.
However, financial institutions can still be held liable if they are found to be negligent.
This includes failing to update software requirements as well as taking reasonable steps to fully protect the interests of the clients, said Mr Lam.
In the case of OCBC, whether the bank bears responsibility depends on factors such as the cause which led to the incident as well as if there were any lapses during the process of addressing the situation, he said.
Citing media reports about how some victims were left on hold on the bank's hotlines for extended periods of time, Mr Lam added: "That might be a potentially problematic area for the bank. Because there were complaints about customers left hanging for half an hour and so on and so forth, that in itself may amount to a lapse."
MORE TO BE DONE?
But the experts also said there should be better safeguards in place for victims of fraud, especially with the country moving towards digital payments and scams becoming more sophisticated and prevalent.
On Wednesday, MAS and the Association of Banks in Singapore (ABS) announced that more measures would be put in place within the next two weeks to beef up the security of digital banking services. These include removing clickable links in SMSes or emails sent to customers as well as setting a default threshold of S$100 or lower for funds transfer notifications.
MAS said it is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams.
A review led by MAS is also looking at how to apportion the liability of a fraudulent online transaction between affected consumers and financial firms.
"Currently, banks can single-handedly set all the rules for this bank-customer relationship without customers being able to object to it because what happens if they object is they can't open an account and cannot participate in electronic banking services," said Assoc Prof Hofmann.
"In this time and age, when we all are fully dependent on electronic payment systems or have no more choice of abstaining from these kinds of transactions, we need a very clear and robust legal and regulatory framework."
An example, he said, would be the European Union's Payments Services Directive, introduced in 2007, which states that banks can only claim damages for the losses incurred from fraudulent third-party transactions if they can prove that the customer acted with gross negligence.
Assoc Prof Hofmann said the key difference is that the burden of proof is on the banks, rather than the customers.
"According to EU law, the bank needs to tell you what all the technologies it uses are, and unless the bank can prove that there was a grossly negligent breach of obligations on the customer side, the customer does not bear any losses," he said.
"In Singapore, there is no guidance from the law so everything is purely determined by the contractual terms between the bank and the customer and I think that needs to be addressed."
In November last year, the UK's payment systems regulator announced that it would make necessary legislative changes to provide for mandatory reimbursement for scam victims.
It also proposed to make it compulsory for the country's biggest banks to publish data reimbursement levels for victims of push payment fraud, as well as which banks and building societies' accounts are being used to receive the fraudulent funds.
But Mr Singh warned that if banks had to factor in compensation for customers who might be cheated of their money, this would drive up their operating costs and customers could see trade-offs.
"It may be a bit too burdensome and onerous (if all banks were made to compensate victims of fraud) because it is very difficult for the banks to try and imagine all possible scenarios," he said.
"They may have to take steps that are so extreme and so costly, that they may not be able to offer customers the kind of services and kind of returns that they may be able to do now."
Ultimately, experts say tackling the new threat is a shared responsibility for all – the Government, consumers and businesses.
"Everybody has a part to play whether it’s practising due diligence by not leaving passwords lying around or just being more vigilant, or having more safeguards in place to protect bank customers and their money," said Mr Singh.