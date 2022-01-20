SINGAPORE: OCBC’s decision to give "goodwill payouts" to customers hit by an SMS phishing scam was not surprising given the public attention on the incident, lawyers said, but the move is unlikely to set a precedent for future cases.

All affected OCBC customers – at least 469 victims who lost a total of S$8.5 million, according to the police – will receive full payouts covering the money they lost, the bank said on Wednesday (Jan 19).

But victims who have been misled into giving their banking details to scammers are often responsible for the money lost, especially if there are no lapses within the bank's internal and IT systems, legal experts said.

In the case of OCBC, the provision of banking passwords by customers to the crooks "would have been the initial trigger", said Mr Bryan Tan, partner at law firm Pinsent Masons. "The legal position is still the same."

"However as a goodwill measure, (which) means that despite the legal position, OCBC is making the payments on a goodwill basis and without assuming responsibility, which as pointed out, is more difficult to prove."

Similarly unsurprised, Associate Professor Christian Hofmann, deputy director at the National University of Singapore's (NUS) Centre for Asian Legal Studies, agreed that the bank's decision is one of "goodwill" and possibly spurred by the intention to maintain its reputation and scrutiny from authorities.

"This is a pretty high-profile incident and as such, the bank is under pressure and MAS (Monetary Authority of Singapore) has already announced that it will look into the security technology that OCBC applied in order to protect its customers from exactly this kind of scam attack," said Assoc Prof Hofmann.

However, the OCBC payout is unlikely to set a precedent and customers should not be lulled into a false sense of security, lawyer Amolat Singh said.

The payout means that OCBC acknowledges the modus operandi must have been so unique that nobody could have thought about it, and so it is willing to compensate customers' losses, he said.

"Some members of the public or customers of the bank may become a little bit more careless, thinking that it's a safety net, so steps should be taken to disabuse people of this wrong notion and emphasise very clearly that this is perhaps a one-off payout done on a goodwill basis.

"That should also then serve as a warning to the rest that these things can happen in this manner, but it doesn't mean that the bank will be like Santa Claus, always ready and willing to compensate the person whenever he loses money," he added.

THE SCAM

The nearly 470 OCBC customers who were scammed received unsolicited SMSes that claimed there were issues with their banking accounts.

The text message directed them to click on a link to resolve the issue. This led to a fake OCBC website where victims keyed in their Internet banking log-in details, allowing the scammers to gain control of their account.

Mr Steven Lam, a director at Templars Law, said a bank's responsibility to customers is typically spelt out in the terms of contract – such as the services it provides and what it needs to do to protect and ensure the interests of customers.

These contractual terms, however, tend to be biased against customers, making it "practically impossible" for scam victims to come up with a serious defence to prove that they were not liable for the losses, said Assoc Prof Hofmann.

"If you look at the current terms and conditions set by banks, customers are burdened with a whole lot of obligations and duties, but what's really missing is a clear rule on what is required for gross negligent breach of these obligations," he added.

However, financial institutions can still be held liable if they are found to be negligent.

This includes failing to update software requirements as well as taking reasonable steps to fully protect the interests of the clients, said Mr Lam.

In the case of OCBC, whether the bank bears responsibility depends on factors such as the cause which led to the incident as well as if there were any lapses during the process of addressing the situation, he said.

Citing media reports about how some victims were left on hold on the bank's hotlines for extended periods of time, Mr Lam added: "That might be a potentially problematic area for the bank. Because there were complaints about customers left hanging for half an hour and so on and so forth, that in itself may amount to a lapse."