Bank refused to refund money to a complainant scammed by a fraudster

ADJUDICATION BY THE OMBUDSMAN 

 

This is a referral by Bank H in relation to the recommendation made by the Case Manager where I am required to review and adjudicate the dispute.

 

Brief Facts  

 

The complainant, Mr Percy, maintain a savings account with Bank H and a registered internet baking facility user since 14/09/2017. 

 

On 16/12/2020, at around 2.00 p.m., Mr Percy received a phone call from Bank O requesting that he increase his credit card limit. Mr Percy denied applying for Bank O’s credit card and was then connected to an officer seemingly from Bank Negara Malaysia to file an investigation report.  

 

Mr Percy was unaware that he was speaking with scammers and was deceived into disclosing information about his accounts, Personal Identification Number (PIN), username, password, and SMS notification regarding soft token activation. 

 

According to his police report dated 16/12/2020 at 17:30 hrs., he was informed by the third party that the money would be placed in a separate account for PIDM protection and released in 2–3 days once the investigation was completed. 

 

Mr Percy became suspicious when he received SMS on a transaction performed on his account. He immediately contacted Bank H Contact Centre and discovered that the call was a scam. Bank H notified him that a fund transfer for RM51,900.00 was made from his account and his internet banking facility for his account was deactivated on 17/12/2020.  

 

Mr Percy denied performing the transfer and wants Bank H to refund the disputed amount. 

 

Mr Percy’s claim was rejected by Bank H on the grounds that the online fund transfers were made using a valid online banking username, password with corresponding security code generated from Mr Percy’s soft token under his profile. 

 

Issues and Key Findings 

 

The issues to be deliberated are whether the Mr Percy is liable for the disputed fund transfer and whether he is entitled for any refund from Bank H

 

The details of the disputed fund transfer performed on 16/12/2020 are as follows:  

 

Time

From Account

Transaction

Amount

Receipient/3rd party account /Bank

03:30pm

3xxx197xxxx

Instant Transfer

RM51,900.00

Karen Low/ Bank C

 

 

The above transaction was made from Mr Percy’s Personal Internet Banking profile.  

 

According to Bank H’s record, at about 03:06pm, the fraudster took over Mr Percy’s online banking by provisioning Mr Percy’s profile on his device (Xiaomi Redmi 6) and set-up the soft token, using OTP/security code generated from Mr Percy’s physical Security Device.  

 

The hard token, which can only be accessible by Mr Percy, is part of the authentication process that generates security codes to access online banking and authorise other banking services.  

 

After provisioning of the Xiaomi Redmi 6 device, the physical security device (hard token) becomes unusable, and any log-on and approval of transactions for online banking will be authenticated with security codes generated from the soft token.

 

Upon provisioning of the Bank H Mobile and soft token activation, an SMS notification was sent to Mr Percy’s mobile phone. However, it was not successfully delivered as it was rejected by the Telco. The content of the SMS would have been as follows, “RM0.00 Bank H : Your soft token has been successfully registered. If you didn’t request this, please contact us immediately. 

 

At about 03:28pm, the scammer logged into Mr Percy’s online banking using the mobile browser (Xiaomi Redmi 6) and successfully updated Mr Percy’s transaction limit from RM10,000.00 to RM200,000.00 using the security code generated from the soft token on the scammer’s device. 

 

Thereafter, the disputed instant fund transfer was successfully performed with the input of the correct and valid security code, generated from the soft token. The funds were instantaneously transferred to the recipient's account upon such authentication.  

 

Prior to the disputed fund transfer, a sum of RM50,000.00 was transferred from Mr Percy’s Bank C account to his savings account with Bank H.

 

Following the transfer, the bank sent text message of the transaction successfully performed to Mr Percy’s phone, which states: 

 

RM0.00 from Bank H 16DEC2020: We have debited your Advance a/c with RM51,900.00 due to third party via internet Banking.

 

As soon as Mr Percy received the text from Bank H about the successful transfer of RM51,900.00 at 4.00pm on December 16, 2020, he installed and provisioned the app at 4:00pm and enable soft token on her own iPhone device. 

 

For a fund transfer to be successfully carried out, the internet banking must be accessed into through the valid Username, password and security code generated from soft token. In essence, the fund transfers would not have been successfully made without a valid Username, password, and OTP/security code. 

 

Therefore, on the balance of probabilities, Mr Percy’s Username, password, and OTP/Security Code generated from Mr Percy’s hard token were compromised, allowing the transaction to take place.  

 

The account holder’s duty to the bank includes an obligation to keep the username, password and security code secret, that he will not disclose to any other person. In addition, he also owes a duty to prevent a third party from having access to her account details. 

 

When Mr Percy contacted the bank’s customer service to report the incident, the disputed fund transfer has been successfully completed. The bank had initiated recovery action against the beneficiary’s accounts, but the recovery was unsuccessful as the fund was already withdrawn from the beneficiary accounts on the same day of transactions. 

 

 

Adjudication 

 

Based on the foregoing findings, Mr Percy is indeed a victim of scam and was tricked to disclose his banking credentials. The disputed fund transfer of RM51,900.00 were carried out via Bank H online banking with a valid Bank H online banking username, password and authenticated with the security code generated from the complainant’s security devices (hard token and soft token) registered with Bank H.

 

The scammer had taken over Mr Percy’s Bank H mobile banking after the provisioning of customer’s profile in the scammer’s device using the OTP which was generated from the Mr Percy’s physical device. Thus, on a balance of probabilities, the OTP was disclosed to the third party which enabled access to Mr Percy’s online banking. 

 

Nevertheless, Mr Percy was not aware of such provisioning as the notification (SMS) of the mobile provisioning and deactivation of his physical device was not delivered to his mobile phone. In addition to the aforementioned, there was no SMS notification on the successful increase of the transaction limit from RM10,000.00 to RM200,000.00. According to the bank, notification on the banking limit update was only implemented since 21/08/2021. 

 

We opine that the SMS alerts of changes in transaction limits and mobile provisioning are crucial because they may prompt Mr Percy to realise that his online banking has been taken over by a third party. 

 

In addition to the above, given the fraud trends and incidents, the bank should have implemented additional measures to protect their customers and secure online transactions, such as: 

 

  1. Requires OTP or activation code sent to the customer’s registered mobile phone, for online/mobile banking provisioning. The text messages (SMS) containing the OTP or activation code should clearly state that the required OTP is for registration of the customer’s mobile banking provisioning. 
  2. Sending notification to the accountholder through SMS upon successful mobile provisioning on a new device and the text notification should clearly state the activation on a new device and deactivation of the old device including both phone/devices make and model.  
  3. Sending notification through SMS to the customer’s registered mobile number after successful online banking transactions including any changes to the transfer limit. 
  4. Requirement for OTP for initial transaction for a new device and for fund transfer to any new third party account.  

 

 

In the circumstances and taking into account the principle of fair and reasonable, we decide that the loss of RM51,900.00 is apportioned equally between Bank H and Mr Percy. Bank H is to refund the sum of RM25,950.00 to Mr Percy

 

The above decision is final and there is no appeal. If Mr Percy accepts this decision, he is to inform Bank H  in writing of the acceptance within 30 days from the date of the decision.  Bank H is bound by the decision and to comply with the award made within 14 business days from the date the complainant informed the bank of his acceptance of this decision. 

 

If Mr Percy reject this decision, Bank H is not bound by the decision and  Mr Percy is free to pursue his rights against the bank through other means such as legal proceedings.