BNM orders migration of SMS OTPs to more secure authentication after PKR, DAP’s urging

Editor’s note: The Association of Banks in Malaysia (ABM), Association of Islamic Banking and Financial Institutions Malaysia (AIBIM) and Association of Development Finance Institutions Malaysia (ADFIM) have since clarified that some banks migrated away from SMS OTPs as early as 2019.


BANK Negara Malaysia (BNM) has introduced additional measures that will be undertaken by the banking industry to combat financial scams, including the migration of SMS one-time passwords (OTP) to a more secure form of authentication.

BNM governor Tan Sri Nor Shamsiah Mohd Yunus announced this and five other measures to strengthen safeguards against financial scams when jointly officiating a financial crime exhibition with Inspector-General of Police (IGP) Tan Sri Acryl Sani Abdullah Sani today (Sept 26).

She added that major banks have already started the process of doing away with SMS OTPs or transaction activation codes (TAC) for online activities or transactions relating to account opening, fund transfers and payments, and changes to personal information and account settings.

“Second, financial institutions will further tighten fraud detection rules and triggers for blocking suspected scam transactions. Customers will be immediately alerted when any such activity involving their banking accounts is detected,” she said.

Tan Sri Nor Shamsiah Mohd Yunus (Pic credit: Bernama)

“As an additional measure, financial institutions will block such transactions, and customers will be asked to confirm that such transactions are genuine before they are unblocked.”

Third, a cooling-off period will be observed for the first-time enrollment of online banking services or secure devices, where no online banking activity will be allowed during this time.

Customers will also be restricted to one mobile or secure device for the authentication of online banking transactions, while financial institutions will be required to set up dedicated hotlines for customers to report financial scam incidents.

“Financial institutions have been directed to be more responsive to scam reports lodged by customers,” Shamsiah added.

“Financial institutions have also been directed to facilitate efforts to recover and protect stolen funds, including to work with relevant agencies to prevent further losses.”

In addition, financial institutions are now required to provide “convenient ways” for customers to suspend their bank accounts if they suspect that their accounts have been compromised as a result of a scam.

Customers will also be able to subsequently reactivate their accounts after a “reasonable period” to ensure that their accounts are secure, she said.

“In short, BNM and the financial industry will continue to ensure that banking and payment channels remain secure and equipped with up-to-date security controls,” she said.

“Calls to reduce scam cases, assist victims”

Opposition parties PKR and DAP have been urging the Government and BNM to reduce the number of scam cases in the country and assist victims of scams for some time now, coming up with their own suggestions as well.

This is in light of an estimated 20,000 people becoming victims of scams in Malaysia each year, with some RM660 mil stolen by scammers yearly.

Pic credit: IDStrong

Among their suggestions were to change the authentication system for online banking to something more security and identity-based, creating one-stop help centres and confirming with bank owners when large, repeated and out-of-the-ordinary transactions are made.

Meanwhile, Shamsiah called for patience as tighter security controls to combat scammers inevitably lead to some friction or inconvenience for customers.

For example, online banking transactions might take a little longer to process while financial institutions will also conduct more checks when customers request to change or register a new phone number.

“Make no mistake, while these measures entail some inconvenience, they are important to protect the interests of customers,” she said.

“In implementing these measures, BNM and the financial industry will continue to carefully balance between security considerations and customer convenience,” she added.

She said BNM will also continue to monitor and take appropriate action on financial institutions to ensure that the highest levels of controls and security standards are observed.

Besides that, the central bank will continue cooperating with the Royal Malaysian Police Force (PDRM) to combat financial crimes, including supporting efforts to recover stolen funds and bring scammers to justice.

Shamsiah also said BNM, together with the relevant authorities, will work together to further elevate Bukit Aman’s Criminal Crime Investigation Department’s (CCID) scam response centre as a more systematic information sharing platform that will enable quicker action to prevent further losses.

She further spoke of cooperation of the Malaysian Communications and Multimedia Commission (MCMC), telecommunication companies and social media and e-commerce websites being key to prevent these services from being abused for scams, but stopped short of announcing any related collaborations with them. – Sept 26, 2022


Main pic credit: Easy Store

Subscribe and get top news delivered to your Inbox everyday for FREE