Singapore Looks to Enhance Banking ID VerificationMonetary Authority Considers New Requirements
In a bid to reduce rising impersonation and identity theft cases, the Monetary Authority of Singapore is proposing to require the use of enhanced identify verification during mobile and online banking transactions.
See Also: Top 50 Security Threats
In a consultation paper, the Monetary Authority, the country's central bank and financial regulatory authority, proposes new requirements that seek to address increasing identity thefts cases, which have significantly risen in the last two years.
Under the proposed requirements, financial institutions would have to use at least one of the following to identify individuals before they make mobile and online transactions:
- Information that only the individual knows, such as a password or PIN;
- A one-time password generated by a hardware token issued to the individual or software token activated on the individual’s mobile device;
- Biometrics, such as a fingerprint;
- Information that is only known between the individual and the financial institutions, such as account transaction information.
The Monetary Authority also reiterates that all financial institutions should refrain from using individual's National Registration Identity Card number, residential address, and date of birth as the primary means of identity verification, which has been a common practice (see: Singapore Banks Advised to Strengthen Customer Verification).
"Personal information such as NRIC number and date of birth are often provided by members of the public for various purposes, such as filling in an application form," Tan Yeow Seng, the chief cyber security officer for Monetary Authority, noted. "This information, if fallen into the wrong hands, can be used for impersonation fraud."
The proposed new ID requirements would “further bolster consumer confidence in financial institutions by making these identity verification practices compulsory during non-face-to-face financial transactions,” the Monetary Authority states.
The authority is accepting comments on its proposal until Dec. 9, after which it will finalize the mandates that would go into effect six months later.
Following a spate of data breaches in 2018, the Singapore Monetary Authority mandated for financial institutions to implement six security measures to better guard against cyberattacks. This included regular updating of software, establishing robust security for systems and connections, installing anti-virus software, restricting the use of system administrator accounts and strengthening the authentication for these accounts (see: Security Requirements for Singapore Banks Proposed).
In September 2019, Singapore's Personal Data Protection Commission made it illegal for organizations to gather and hoard citizens' National Registration Identity Card numbers unless it is required by law or the individual has given permission (see: Singapore Adopts Stricter ID Collection Rules).