29 September 2022

Kuala Lumpur: CIMB Bank Berhad and CIMB Islamic Bank Berhad (collectively “CIMB” or “the Bank”) announced today that it is firmly on track to fully implement the enhanced security measures against scam as announced recently by Bank Negara Malaysia (“BNM”), and supported by the Association of Banks in Malaysia (“ABM”) and Association of Islamic Banking and Financial Institutions in Malaysia (“AIBIM”).


Dato’ Abdul Rahman Ahmad, Group Chief Executive Officer of CIMB Group said, “Security is always CIMB’s highest priority, and the Bank already has strong existing controls with multiple layers of security in place. At the same time, CIMB is committed to ensuring that the security measures are continually enhanced to protect customers. As such, the Bank is supportive of the five additional security measures as announced by BNM, and is committed to fully implement them in a timely manner".


With regard to migrating from SMS One Time Password (“OTP”) / Transaction Authorisation Code (“TAC”) to a more secure multi factor authentication method, CIMB has already implemented SecureTAC approval via its CIMB Clicks App for online activities, fund transfers and payments, as well as changes to personal information and account settings. SMS OTP/TAC is currently only available as a fallback option for customers without the Clicks App or for FPX transactions. The Bank will fully cease the alternative option of using SMS OTP/TAC and mandate only SecureTAC authorisation by the first half of 2023. CIMB urges all customers who have yet to do so, to download the CIMB Clicks App and to turn on notifications as this will be required in order for them to be able to continue enjoying digital banking services in a secure manner.


CIMB is also accelerating the implementation of measures to limit customers to one secure mobile device for the authentication of online banking transactions, with a targeted rollout by end-October 2022. In line with the single secure mobile device restriction, the Bank will introduce an added control measure in the form of a customer verification callback process for all new online banking registration and new secure device activation to protect customers against financial scams.


CIMB will also introduce progressively a cooling-off period as an additional safeguard for first-time enrolment of online banking or secure devices. Once implemented, activation of service will take place during this period only after verification or contact has been made with the customer. These additional measures will make the registration of online banking and change of device process more secure.


The mandate for financial institutions to further tighten fraud detection rules and triggers for blocking suspected scam transactions is also welcomed. CIMB already has a sophisticated real-time fraud monitoring system in place to detect high risk transactions and out-of-norm usage or behaviour. The Bank will continue to ensure fraud detection rules are enhanced on an on-going basis to reflect evolving scam methods and fraudulent behaviour, with customers to be alerted and contacted when unusual or suspicious transactions are flagged.


On the requirement for financial institutions to set up dedicated hotlines for customers to report financial scam incidents, CIMB has a 24/7 Consumer Contact Centre at +603-6204 7788, where an option for scams/fraud is prioritised on the pre-recorded interactive voice response (“IVR”) tree. The Bank will monitor and ensure high compliance in further prioritising scam response and ensure customers are able to contact the bank for assistance or to report scams in an expeditious manner.


In addition, on the requirement for financial institutions to provide convenient ways for customers to suspend their bank accounts or cards if they suspect that their accounts have been compromised, this measure is already available via the Bank’s 24/7 CIMB Consumer Contact Centre. Customers who suspect their banking details have been compromised or that a suspicious transaction has taken place can immediately contact the CIMB contact centre to suspend their account immediately. CIMB will provide a self-serve feature on its digital banking platform for customers to temporarily suspend their account on their own. This service is expected to be made available by the first half of 2023.


“The safety and security of our customers remains a priority in everything that we do, and we remain committed to continuously enhance and tighten all measures in order to ensure our customers’ funds and banking transactions remain secure,” added Dato’ Abdul Rahman.


Alongside the safeguards highlighted above, CIMB has already implemented or is in the process of introducing other measures to protect customers against scams. These include, among others:


  1. By end-2022, the Bank will no longer include live URLs, i.e. clickable links, in its SMS messages to customers. As such, the Bank urges customers to ignore and to avoid clicking on any URLs in messages claiming to be from CIMB.
  2. CIMB actively monitors and works with the relevant authorities to detect and take down phishing websites, fraudulent brand usage on web and social media, and rogue mobile apps, with regional coverage.


In addressing the growing prevalence of scams, CIMB is ramping up its education and awareness efforts to ensure customers remain vigilant at all times when transacting or banking digitally. The Bank would also like to take this opportunity to remind customers of the following online banking safety tips:


  • Avoid downloading any installation files (APK files) on devices, and only download apps from genuine app stores.
  • Only download apps from genuine app stores such as the Apple App Store, Google Play Store or Huawei AppGallery, and never from a link.
  • Never share SMS TAC/OTP and SecureTAC with anyone. The Bank will not contact a customer to request for these information or any personal information.
  • Ensure that your online banking security image and/or phrase are correctly displayed on-screen before logging in.
  • Always ensure emails, SMSes and calls received come from actual legitimate sources. When in doubt, call the Bank to verify such communication.
  • Avoid clicking on links or attachments sent via suspicious emails or chat messages such as SMS, WhatsApp, Messenger and other similar services.
  • Always verify if links are accurate to avoid clicking on a phishing link and verify that links or websites is a secure URL.
  • Regularly update the operating system of your devices to keep them updated with the latest security patches.
  • Always update your banking app to the latest version available so that you are well-protected and banking securely.


Customers who detect unusual or suspicious activity or transactions involving their bank accounts should immediately:


  • Notify the Bank by calling CIMB’s Consumer Contact Centre at +603-6204 7788, which is available 24/7;
  • Change their account password/PIN;
  • Contact the Commercial Crime Investigation Department (“CCID”) Scam Response Centre at +603-2610 1559/1599; and
  • Lodge a police report to facilitate the investigation.


In line with ABM and AIBIM, CIMB also welcomes measures to further elevate Polis Diraja Malaysia’s (“PDRM”) CCID Scam Response Centre as a more systematic information sharing platform that will enable quicker action to prevent further losses.