Financial institutions told to tighten verification drill

The MAS recommended that banks verify customers with additional information before undertaking transactions, such as one-time passwords, pin numbers or biometrics.
The MAS recommended that banks verify customers with additional information before undertaking transactions, such as one-time passwords, pin numbers or biometrics.PHOTO: ST FILE

The Monetary Authority of Singapore (MAS) has ordered financial institutions to tighten their customer verification processes.

This will address the potential risk that data lost from the cyber attack on SingHealth may be used by fraudsters to perform unauthorised financial transactions.

MAS said in a statement that with immediate effect, all financial institutions should not rely solely on the types of information stolen (name, NRIC number, address, gender, race and date of birth) for customer verification.

The central bank said yesterday that additional information must be used for verification before undertaking transactions for the customer. This may include one-time password, PIN, biometrics and last transaction date or amount, among others.

MAS has also directed all financial institutions to conduct a risk assessment on the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions.

In the most serious breach of personal data in Singapore to date, it was disclosed last Friday that hackers had gained access to the personal particulars of 1.5 million SingHealth patients.

MAS' chief cyber security officer Tan Yeow Seng said the central bank would work closely with financial institutions to ensure that robust cyber defences are in place so that customers can carry out online financial transactions with confidence.

 

"But customers must also play their part. They must safeguard their passwords and practise good cyber hygiene. If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately," Mr Tan advised.

Currently, for access to online financial services, banks in Singapore are already required to put in place two-factor authentication such as PIN and one-time password at login to identify their customers.

Banks are also required to implement an additional layer of control to authorise high-risk transactions. The latter includes the opening of beneficial accounts, registration of third party payee details and revision of fund transfer limits.

 
A version of this article appeared in the print edition of The Straits Times on July 25, 2018, with the headline 'Financial institutions told to tighten verification drill'. Print Edition | Subscribe