No more SMS OTP/TACs for CIMB users by 1H 2023 after BNM’s anti-scam order

CIMB Bank Bhd and CIMB Islamic Bank Bhd said it is “firmly on track” to fully implement the enhanced security measures against scams as announced recently by Bank Negara Malaysia (BNM). 

In a statement today, CIMB Group CEO Datuk Abdul Rahman Ahmad said security is always CIMB’s highest priority, pointing out that the bank currently has strong existing controls with multiple layers of security in place.   

“At the same time, CIMB is committed to ensuring that the security measures are continually enhanced to protect customers.   

“As such, the bank is supportive of the five additional security measures as announced by BNM and is committed to fully implementing them in a timely manner”.  

With regard to migrating from SMS one-time passwords (OTP) or transaction authorisation codes (TAC) to a more secure, multi-factor authentication method, CIMB has already implemented SecureTAC approval via CIMB Clicks for online activities, fund transfers and payments as well as changes to personal information and account settings.   

Abdul Rahman added that the SMS OTP/TAC option, which is currently only available as a fallback option for customers without the CIMB Clicks app or FPX transactions, will be done away with for good and replaced with SecureTAC authorisation by the first half of 2023 (1H 2023). 

Datuk Abdul Rahman Ahmad

“CIMB urges all customers who have yet to do so to download the CIMB Clicks app and turn on its notifications as this will be required in order for them to be able to continue enjoying digital banking services in a secure manner,” he said.  

Only 1 secure mobile device by next month 

The bank, he added, is accelerating the implementation of measures to limit customers to one secure mobile device for the authentication of online banking transactions, with a targeted rollout by end-October 2022.   

In line with the central bank’s order for a single, secure mobile device restriction, CIMB will introduce an added control measure in the form of a customer verification callback process for all new online banking registration and new secure device activations to protect customers against financial scams.  

Besides that, CIMB will progressively introduce a cooling-off period as an additional safeguard for first-time enrolment of online banking or secure devices.  

“Once implemented, activation of service will take place during this period only after verification or contact has been made with the customer,” Abdul Rahman explained. 

As for the mandate for financial institutions to further tighten fraud detection rules and triggers for blocking suspected scam transactions, CIMB presently has a sophisticated real-time fraud monitoring system in place to detect high-risk transactions and out-of-norm usage or behaviour.  

Even so, the bank will continue to ensure fraud detection rules are enhanced on an ongoing basis to reflect evolving scam methods and fraudulent behaviour, with customers to be alerted and contacted when unusual or suspicious transactions are flagged.  

On the requirement for financial institutions to set up dedicated hotlines for customers to report financial scam incidents, Abdul Rahman said CIMB has a 24/7 consumer contact centre at +603-6204 7788, where an option for scams or fraud is prioritised on the pre-recorded interactive voice response tree.  

“Will ensure banks can call us for help” 

“The bank will monitor and ensure high compliance in further prioritising scam response and ensure customers are able to contact the bank for assistance or report scams in an expeditious manner,” he pledged. 

On BNM’s requirement for financial institutions to provide convenient ways for customers to suspend their bank accounts or cards if they suspect that their accounts have been compromised, Abdul Rahman again said this measure is already available through CIMB’s consumer contact centre. 

He added that CIMB will provide a self-serve feature on its digital banking platform for customers to temporarily suspend their accounts on their own, tentatively by the first half of 2023.   

Meanwhile, Public Bank Bhd said it has taken further steps to curb the rising number of frauds and scams in the country, including by providing round-the-clock assistance to customers. 

Among the steps, as announced by Public Bank CEO and managing director Tan Sri Tay Lek today, include immediate termination of access to PBe internet banking and PB Engage app after a fraud or scam report is received, to prevent further unauthorised transfers while the bank expedites the recovery of stolen funds.  

Public Bank added that customers can self-deactivate their access to PBe internet banking and PB Engage mobile banking under such circumstances via the PBe login page, with reactivation only allowed at the bank’s branch or by staff at its case management unit with the necessary verifications. 

Tay also said Public Bank has since deployed a more secure authentication method with its mobile app security token PB SecureSign (PBSS) on PB Engage. – Sept 29, 2022  


Main photo credit: Malay Mail 

Subscribe and get top news delivered to your Inbox everyday for FREE