Dr Aaron received a call from individuals claiming to be police officers and representatives from Bank Negara Malaysia. Dr Aaron believed he was assisting the authorities in investigating unauthorised transactions made on a credit card, which he claimed did not belong to him. He stated that he disclosed his banking credentials to them.
His conversation with the purported authorities lasted for about half an hour. After that, Aaron rushed back to work. Later in the day, Aaron received a verification call from the bank, and he discovered nine fund transfers totalling RM200,000 were made from his savings account to four third-party beneficiaries. The nine transactions were performed within ten minutes. The next day, Aaron complained to the bank about the incident.
The bank rejected Aaron’s claim because online banking activities were conducted using a valid username and password and corresponding security code generated from the registered mobile security key (soft token).
Aaron contended that he did not authorise these transactions. He alleged that the bank should have known that the transaction pattern was unusual compared to his previous transactions. The bank should have called him sooner instead of three hours after all the fund transfers were completed.
He added that while receiving the messages regarding the transactions, he could not read them on time as he was busy attending to his patients.
OUR FINDINGS
Before the disputed transactions, the soft token was activated on a new mobile device. Aaron’s online transaction limit was increased from RM5,000 to RM200,000, and four third-party beneficiaries were saved as ‘favourite’ payees.
Aaron’s savings account had a minimal balance when the bank called him for verification. Before the call, the bank contended that it had made an immediate attempt to contact Aaron by sending an SMS followed by a verification call. However, the follow-up call was delayed due to the high call volume experienced by the bank’s fraud team. The bank believed that Aaron would not have been able to answer any call due to his busy work schedule during the material call.
OUTCOME
The Ombudsman opined that multiple fund transfers to a new beneficiary within a short period should have raised suspicion, mainly when it involves a newly registered device.
The bank should have temporarily suspended the transactions and internet banking accounts until the transactions were verified. On the other hand, Aaron should have exercised caution before revealing his banking credentials to unknown parties over the phone. Thus, the Ombudsman decided to apportion the loss between Aaron and the bank.