The Monetary Authority of Singapore (MAS) today issued a consultation paper on the types of information required for non-face-to-face verification of an individual’s identity. These proposed requirements come against the backdrop of rising impersonation scam cases, and seek to address the risks arising from theft and misuse of an individual’s personal particulars.
2 Under the proposed Notice, it would be mandatory for a financial institution to use at least one of the following types of information for non-face-to-face verification, through channels such as phone banking or online banking, before it undertakes any transactions or request from an individual:
a) Information that only the individual knows, such as password or PIN [1] ;
b) Information that only the individual has, such as one-time password generated by a hardware token issued to the individual or software token activated on the individual’s mobile device;
c) Information that uniquely identifies the individual, based on the individual’s biometrics, such as face or fingerprint recognition; or
d) Information that is only known between the individual and the financial institutions, such as account transaction information.
3 The proposed Notice will also prohibit financial institutions from relying on common personal information such as NRIC number, residential address and date of birth as the sole means of identity verification.
4 Mr Tan Yeow Seng, Chief Cyber Security Officer, MAS, said, “Personal information such as NRIC number and date of birth are often provided by members of public for various purposes, such as filling in an application form. This information, if fallen into the wrong hands, can be used for impersonation fraud. Financial institutions already have in place these identity verification practices. The proposed Notice will further bolster consumer confidence in financial institutions by making these identity verification practices compulsory during non-face-to-face financial transactions. Consumers should also play their part by not disclosing their online banking login credentials such as account username, PIN number and one-time password.”
5 The consultation paper is available on MAS’ website: here. MAS invites interested parties to submit their comments on the proposed Notice to techrisk@mas.gov.sg by 9 December 2020.
****
- [1] Financial institutions will securely obtain such information through online platforms, and should not ask any individual to disclose their login credentials through phone calls, emails or SMSes.