On 23/10/2016 at 11am, Ms X visited XYZ Bank to withdraw her pension money from her saving account amounting to RM747.00 which is credited on a monthly basis into her account. Ms X discovered that her pension was withdrawn.
On 7/11/2016, Ms X lodged a police report and made an official complaint with XYZ Bank upon being notified that her pension was remitted via internet banking to an account maintained in Indonesia.
Ms X received a reply from XYZ Bank rejecting the claim on the grounds that the disputed transaction was successfully executed with Ms X’s valid username, password and One Time Password (OTP).
Ms X is not satisfied with XYZ Bank’s investigation and the decision on the claim. She contended that she should not be held liable for a transaction as it was performed without her consent.
Ms X is not computer literate and denied applying for XYZ Bank’s internet banking facilities. Ms X emphasized that she always kept her ATM Card safely and never divulged the Personal Identification Number (PIN) to anyone. Ms X denied receiving any short message services (sms) or calls inviting her to participate in any contests, prize winnings etc.
Investigation and Findings
XYZ Bank’s record showed that Ms X’s internet banking facility was activated on 27/10/2015 and was cancelled on 7/11/2016.
XYZ Bank’s investigation revealed that Ms X is a victim of a SMS-Phone scam based on the followings factors;
- The registration of internet banking can only be performed via Ms X’s ATM card number and PIN which is only known to her;
- The OTP was sent to a mobile number that was registered via the ATM machine using Ms X’s ATM card and PIN as well.
XYZ Bank believes that Ms X may be deceived by a fraudster into believing that she had won a contest and in order to receive the prize money, Ms X had revealed her ATM card number and disclosed the PIN which enabled the fraudster to register internet banking facility via XYZ Bank’s website. The fraudster would have then instructed Ms X to visit the nearest ATM machine to enter certain codes purportedly to finalize the payment of the prize money and without realizing, she had registered the fraudster’s mobile number to receive the OTP to complete the transactions performed via internet banking.
XYZ Bank’s record indicates there was neither system failure nor breach of security in the internet banking during the aforesaid transaction. A valid username and password was used arising from the registration of internet banking via Ms X’s ATM card and PIN. The OTP was sent to the mobile number registered via the ATM to complete the transaction.
XYZ Bank contended that numerous warnings and security alerts had been in place on their website, ATM screens, branches, and also aired on TV and radios to forewarn customers of scams and to protect their essential credentials at all times.
Notwithstanding the above, XYZ Bank proceeded to perform recovery of the sum remitted to Indonesia upon receiving Ms X report on the fraudulent transaction. However, XYZ Bank received a reply from the corresponding bank informing that the disputed transaction was remitted via a straight through process resulting in crediting of the sum instantly into the beneficiary account without any human or system intervention. Nevertheless, the corresponding bank requested XYZ Bank to comply with certain requirements to enable the beneficiary bank to process the recovery of the disputed transaction from the beneficiary account. Unfortunately, XYZ Bank failed to respond to the corresponding bank on the requirements for recovering the money.
XYZ Bank acknowledged their shortcoming in the recovery process of the transaction and the matter was resolve amicably between the parties.