Banks, insurers and other financial institutions may have to implement more stringent ways of verifying customers' identity in non-face-to-face situations such as phone or online banking.
The Monetary Authority of Singapore (MAS) yesterday issued a consultation paper on the types of information required for such verification. The proposed requirements come against the backdrop of rising impersonation scam cases, and seek to address risks arising from theft and misuse of a person's personal particulars, MAS said.
Under the proposed notice, it would be mandatory for a financial institution, such as a bank, to use at least one of the following types of information for non-face-to-face verification through channels such as phone or online banking:
• A password or PIN
• A one-time password generated through a hardware or software token
• Biometric information which uniquely identifies the individual
• Information that is known only between the individual and the financial institution, such as account transaction details
These would be required before any transactions or requests from the client is undertaken, MAS said.
Financial institutions would also be prohibited from relying on common personal information, such as NRIC number, residential address and date of birth, as the sole means of identity verification.
The measures would strengthen the authentication controls implemented by financial institutions, MAS said.
MAS chief cyber security officer Tan Yeow Seng said personal information like NRIC number is often provided by the public for various purposes, such as filling in application forms. Such information could be used for impersonation fraud.
"The proposed notice will further bolster consumer confidence in financial institutions by making these identity verification practices compulsory during non-face-to-face financial transactions," Mr Tan said, adding that consumers should also play their part by not disclosing their online banking login credentials to others.
MAS is suggesting that these new requirements would take effect six months after the notice is issued, and is seeking comments on whether this transition period would be sufficient for financial institutions to comply. The consultation paper is available on the MAS website and interested parties can submit their comments by Dec 9.
Separately, MAS' Cyber Security Advisory Panel has recommended financial institutions to review their risk profiles and adequacy of risk mitigating measures to maintain oversight of third-party vendors.
These recommendations were presented at an MAS management meeting last Thursday. While Singapore's financial sector has done well so far in its cyber and operational resilience, it cannot rest on its laurels, MAS managing director Ravi Menon said. "Financial institutions must remain alert and nimble and strengthen their defences against emerging cyber threats," he said.
• Additional reporting by Ng Wei Kai