• General Requirement

    • OM-5.1.1

      Retail banks must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

      Added: January 2020

    • OM-5.1.2

      In order to maintain up to date PCI-DSS certification, retail banks will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

      Added: January 2020

    • OM-5.1.2A

      Conventional retail bank licensees must take appropriate measures to counter fraudulent phishing attempts (such as through telephone or WhatsApp calls, SMS or WhatsApp messages, emails and other media) that request customers to provide sensitive personal information that can lead to frauds. The licensees must also enhance their surveillance and monitoring systems to detect suspicious account activity caused by such fraudulent attempts on a timely basis.

      Added: October 2020

    • OM-5.1.2B

      Conventional retail bank licensees must raise customer awareness about fraudulent phishing messages by launching extensive customer alert campaigns through media and social media channels. Customers must be warned of such attempts and advised to only use the licensee’s official website, telephone or other channels for communication with it.

      Added: October 2020