|
Tan Sri Dato' Seri Ali Abul Hassan bin Sulaiman, Governor, Bank Negara Malaysia, today announced that Bank Negara Malaysia (BNM) has investigated the recent reports on incidences of unauthorised ATM withdrawals, which revealed that virtually all of the unauthorised ATM withdrawals were due to the cloning by syndicates of the ATM cards issued by two commercial banks and one non-bank financial institution. These institutions have already upgraded the security features of their ATM cards and are in the process of replacing the old cards with the newly improved cards. In the meantime, these institutions have been directed to take the following measures to minimise the incidence of cloned cards :
- Enhance the ATM systems to detect and retain cloned cards;
- Improve internal controls especially with regard to the PIN generation process;
- Closely monitor the withdrawal pattern of customers to identify suspicious transactions;
- Respond to customers' complaints expeditiously; and
- Set up a customer help centre.
BNM has issued the "Guideline on Minimum Standards for ATM Services" on 29 March 2000 to upgrade the security features of the ATM cards and services that will totally eliminate the incidences of cloned cards. The emphasis of the Guideline is on the security features of the ATM cards and the effective management of the PIN, internal controls for ATM operations and the need for banking institutions to install close circuit cameras at strategic ATM locations. For financial institutions that have yet to fully comply with the guideline, they have been given until end-June 2000 to reconfigure their computer systems and recall the ATM cards without the required security features that have been issued to their customers.
Officers of BNM met with the financial institutions that have yet to fully comply with the BNM Guideline on ATM cards on 7 April 2000. At the meeting, it was agreed that pending full compliance with the guideline, the financial institutions would immediately upgrade the security features of their ATM systems to detect and retain cloned cards. In addition, the financial institutions would also automatically de-link the accounts of their customers whose ATM cards have been cloned and the linking of the bank's ATM systems to the MEPS network. These institutions will also take other precautionary measures such as to block further ATM transactions after monitoring abnormal behavioral patterns and limiting ATM operating hours. Although these additional measures may inconvenience the public somewhat, these temporary measures are necessary to safeguard the safety of customers' deposits pending the upgrading of the affected ATM services. Customers who are apprehensive about the safety of the ATM systems of their banks can also request for their accounts to be de-linked from the ATM systems.
Since the beginning of the year, BNM has significantly stepped up its on-site examination of the ATM systems of the financial institutions in the country. The scope of the examination covered an assessment on the adequacy of controls and security features over the ATM card and Personal Identification Number (PIN), overall management of the ATM operations and handling of customer complaints. These include, amongst others, whether the financial institutions have adopted the following controls and security procedures:
-
Implementing adequate security features on the ATM cards, such as using card verification values to authenticate the card during an ATM transaction. All critical information related to the card which are stored either on the card itself or in the computer system should be well protected from unauthorised access;
-
Providing a highly secured and controlled environment during the PIN generation process to ensure PINs are not compromised. This include protecting all critical information used to generate the PINs;
-
Ensuring PINs are encrypted at all times and are not stored anywhere in the system;
-
Ensuring there is adequate segregation of incompatible duties in the ATM operations; and
- Ensuring there are adequate policies and procedures to handle and respond to inquiries and complaints from customers on ATM-related matters.
Weaknesses noted during the examination were highlighted to the senior management of the financial institutions for their immediate rectification.
Notwithstanding the various measures above, BNM also notes that there has been negligence on the part of the cardholders that led to incidences of unauthorised ATM withdrawals. In this regard, BNM wishes to appeal to the financial public to exercise greater care in preventing unauthorised withdrawal from ATMs. Examples of events that could lead to unauthorised ATM withdrawals and steps that can be taken to prevent monetary loss on the part of the cardholders are highlighted below :
| Examples of events | Suggestions to avoid monetary loss |
| (a) Lost or misplaced wallet/ handbag containing ATM card | PIN should not be kept together with the ATM card and to report to the ATM hotline immediately. |
| (b) Use of ATM card by third party with or without the knowledge of the cardholder | Cardholder should never give his ATM card and PIN to a third party to perform ATM transactions on his behalf. |
| (c) Failure to keep PIN secret or changing PIN to commonly identified numbers eg I/ C numbers, birthdays, car plate numbers etc | Cardholder should perform the ATM transaction alone and should never divulge the PIN to friends or relatives. When changing he PIN number, never use commonly identified numbers that can easily be compromised. |
| (d) Shoulder surfing i.e. strangers look over the shoulders of the person conducting ATM transactions to get the PIN number | Cardholder should always be conscious of suspicious characters around him and be very cautious while performing ATM transactions. |
| (e) Unable to retrieve the card from the machine | To report the incident via the ATM hotline immediately and watch out for any stranger attempting to subsequently retrieve the card. |
| (f) Robbery after performing ATM transactions |
As far as possible, cardholders should avoid performing ATM transactions in remote locations or at odd hours when there are hardly any people around. |
| (g) Cardholder not knowing how to perform ATM transaction or face difficulties while performing ATM transaction | The cardholder should never ask a stranger for assistance in performing ATM transactions. If one does not know how to use the card, it is better for the cardholder to use other means to withdraw money from his account, such as via a passbook or cheques rather than to expose his PIN. |
BNM has also recently urged the financial institutions to enhance their customer service standards by being more customer-driven and pro-active in handling and resolving customer complaints of this nature. Therefore, BNM advises any customer who is aggrieved on account of unauthorised ATM withdrawal to bring up the matter to the attention of the financial institution concerned as soon as possible for a speedy and satisfactory dissolution of the problem. A customer who is not satisfied with the outcome of the complaint may refer the complaint to the Banking Mediation Bureau at the following address within six months of the date of decision made by senior management of the financial institution concerne
- Mediator Banking Mediation Bureau
5 th Floor
MUI Plaza
Jalan P. Ramlee
50250 Kuala Lumpur
Tel. : 03-206 2335 / 2337
Fax : 03-206 2339
If after having being deliberated by the bank's management as well as the bureau the complaints remain unresolved, such complaints may be forwarded to the Bank Regulation Department in BNM.
Although in terms of proportion, the number of cases of unauthorised ATM withdrawals only accounts for 3 out of 100,000 of ATM transactions (i. e. 0.003%), BNM is treating this matter seriously and would continue to monitor the situation closely to ensure that the problem is eradicated as soon as possible.
