MAS consults on the strengthening of identity verification processes

By Edil Corneille

Today, the Monetary Authority of Singapore (MAS) issued a consultation paper on the types of information required for non-face-to-face verification of an individual’s identity. These proposed requirements come against the backdrop of rising impersonation scam cases, and seek to address the risks arising from theft and misuse of an individual’s personal particulars.

Financial institutions have to use at least one of the below-mentioned types of information through channels such as phone banking or online banking for non-face-to-face verification before any transactions or requests are undertaken:

•  Information that only the individual knows, such as a password or PIN. Financial institutions have to securely obtain such information through online platforms and should not ask any individual to disclose their login credentials through phone calls, emails or SMSes.
• Information that only the individual has, such as one-time password generated by a hardware token issued to the individual or software token activated on the individual’s mobile device.
• Information that uniquely identifies the individual, based on the individual’s biometrics, such as a face or fingerprint recognition
• Information that is only known between the individual and the financial institutions, such as account transaction information.

Tan Yeow Seng, Chief Cyber Security Officer, MAS, said, “Personal information such as NRIC number and date of birth are often provided by members of public for various purposes, such as filling in an application form. This information, if fallen into the wrong hands, can be used for impersonation fraud. Financial institutions already have in place these identity verification practices. The proposed Notice will further bolster consumer confidence in financial institutions by making these identity verification practices compulsory during non-face-to-face financial transactions. Consumers should also play their part by not disclosing their online banking login credentials such as account username, PIN number and one-time password.”

The proposed notice will also prohibit financial institutions from relying on common personal information such as NRIC number, residential address and date of birth as the sole means of identity verification.