OCBC App's New Security Feature - Customer Protection or Intrusion?

What happened?

I’ve been a fan of OCBC since I led their Group Lifestyle Financing division. I think they innovate and create great customer experiences, albeit often low-key and without as much publicity as their peers. But always with the customer in mind. Well… at least until now.

Earlier this week, it was reported that OCBC’s latest app update included a security feature that, per OCBC’s Facebook page, “can detect any app that has been downloaded from unofficial app stores. Once these apps are detected, if you do not uninstall them, you will not be able to log in to our Internet Banking and/or the OCBC Digital app.” Customers must delete the identified apps from their devices to access OCBC’s online/digital banking services. 

Like all banking service incidences in Singapore, details of customer displeasure were reported in articles by Straits Times and by Channel News Asia.

You can imagine the customer feedback… and I’m phrasing that politely. There are too many gems to quote here. Scroll through the comments on the Facebook post with a bag of popcorn when you want to feel better about bad business decisions you’ve made. 

While I understand OCBC’s desire to “safeguard customers from malware scams”, I think the initiative could have been executed better and with concern for customers’ experience at the forefront. 

Based on the customer feedback I’ve studied, here’s what I think OCBC could have thought through better:

1. Honourable Objective, But Questionable Approach

OCBC’s objective to “safeguard customers from malware scams” is honourable. But the decision to do so by incorporating a feature that detects and identifies “risky” apps on customers’ phones just feels invasive. This is echoed loudly by the many customer comments accusing the bank of scanning phones without consent and violation of privacy. 

While the bank has reassured customers that they don’t “monitor…activity, nor conduct surveillance” or collect data, from customers' point of view, the feature itself appears to behave like malware - covertly inserted, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim (source: US Government Computer Security Resource Centre). Several customers even compared OCBC’s app to ransomeware - denying access to their accounts unless they comply with the bank’s conditions to delete other apps. Yikes!

This approach also presumes that OCBC’s customers accept that the bank is an expert on cyber security and malware. However, this does not seem to be the case based on customers’ blunt comments, including ones pointing out deficiencies in the bank’s response to phishing scams that resulted in MAS imposing additional capital requirement of S$330 million.

2. Inconsistent, Blunt Execution

There have been reports that the OCBC security feature isn’t consistent in how it flags risky apps, that its method is too blunt. Well-known apps like DouYin, Ten Cent App Store, Microsoft Authenticator, LG ThinQ have reportedly been highlighted, as have those that are preinstalled as part of many Android operating systems. 

Customers have observed that the filter appears to be primarily blocking Chinese apps (including Chinese banks'), and this has raised accusations of bias. The perceived discrimination also extends to the fact that Apple/iOS users (like me 😅) are largely unaffected. 

And there is the argument from cybersecurity personnel that apps on official app stores can still contain malware. Even Singapore’s GovTech agrees. So this unfriendly and obstructive approach is still not guaranteed to prevent all incidences of malware, phishing and fraud. Did OCBC consider the liability, or at least bad publicity, they'll be exposed to should a future incident occur even with this feature in place?

The reality is that technology is vast and has very diverse touchpoints. Those who exploit its weaknesses tend to move before those who close the gaps. Can any bank really move faster? 

3. Not Anticipating Customers’ Reaction & No Preemptive Communications

It doesn’t appear that the decision to roll this feature was carefully considered from a customer’s perspective. In my experience, OCBC’s all-or-nothing approach should have necessitated a heads-up to customers, especially the ubiquitous Android user, to explain the feature and prepare them for the potential service disruption.

Unfortunately, OCBC customers’ first encounter was when they attempted to use the app after the update on Saturday 5th August. Besides being stopped from performing a presumably important or timely financial transaction, many were reportedly also startled/confused and thought that there was a problem with the OCBC app itself. 🤦🏻 I received the first detailed communications only on Tuesday 8th August, after customer complaints had already begun rolling in. 

Typically, user and usability testing would have been conducted to determine if the security feature would been welcomed by customers, and if they can effectively use the app with it implemented. I doubt there was any journey mapping done before this rollout to anticipate the different user experience scenarios customers might encounter. Including those cited by frustrated customers who are required to use flagged apps by their employers or for work.

In the last week since the update and as of this article, 60% of the reactions on the OCBC’s Facebook post are 😡, and most of the 1,200 comments are, unsurprisingly, not in favour of the feature. However, OCBC continues to use a rote response with clients that is tone-deaf and comes across as high-handed - it’s the bank’s way, or the highway.

In Singapore’s digital, hi-tech, and start-up friendly economy, this probably impacts a lot of new generation clients that OCBC has been trying hard to attract. And have now turned off.

So Can The Situation Be Salvaged?

While OCBC has the right to put this security feature in their app, it doesn't look like they made any attempt to inform customers about it upfront. Even if no customer information is collected, the fact that the app looks at and flags other apps on customers’ phones is like a dinner guest who looks through your closets and drawers without your permission. It’s a violation of Trust - a value that is fundamental in banking relationships, and something OCBC appears to have forgotten here.

Given we’re where we are and that OCBC appears unlikely to roll back the feature, I would recommend at the very least letting customers decide which apps they want to delete, and which they're willing to risk retaining. There are enough security pop-ups and risk warnings on most Singapore bank apps, what’s one more? 🤷🏻 Oh yes… and a sincere apology to customers for causing the inconvenience would help in regaining customers’ trust. 

With the rise in scams, it’s not surprising that the Monetary Authority of Singapore and The Association of Banks in Singapore circled wagons and issued statements that "support banks’ initiatives to bolster the security of digital banking”. But I hope this hasn't emboldened OCBC to dig their heels in on a decision that creates a decidedly hostile customer experience. I hope they will work together to learn from these ugly experiences and develop security features that don’t cause “unintended inconveniences” to customers. 

I do understand OCBC’s intent to protect customers, and acknowledge that the implementation of this security feature is not a breach of privacy laws in Singapore. But personally, like most impacted customers, I do think that the bank is overreaching its authority, and for now, behaving autocratically and without empathy in their handling of customer feedback.

Instead of building trust and mutual respect by helping customers make informed choices about their banking security, OCBC’s approach has taken away that freedom of intelligent choice, and is holding customers’ phones and bank accounts hostage. Based on the many customer threats to close their accounts, the brutal reality is that OCBC may simply be taking away customers’ desire to do business with them.

This article is republished from Linkedin with the writer's permission. Any opinions expressed belong solely to the author.