The Monetary Authority of Singapore (MAS) proposes to require banks, insurers and other financial institutions (FIs) to strengthen their processes for verifying the identity of their customers in non-face-to-face situations.  MAS set out its proposed Notice on Identity Verification (Notice) in its Consultation Paper published on 10 November 2020 and invites the public to comment until 9 December 2020.

The Notice requires FIs to use at least one of the following types of information when verifying an individual’s identity through non-face-to-face channels such as phone or online banking before undertaking any transaction or request from the individual:

Types of Information that Can be Used to Meet the Notice Requirements

Information  that only the individual knows

• Username and password
• Card number and personal identification number

Information  that only the individual has

• Password-generating hardware or software token that is issued to or  registered with the individual
• Smart card that is issued to or registered with the individual
• One-time password sent to the individual’s registered mobile number
• SingPass Mobile application installed and activated on the  individual’s mobile

Information  that uniquely identifies the individual, based on the individual’s biometrics  or behaviour

• Voice
• Fingerprints
• Face
• Iris or retina
• Keystrokes dynamics

Information  that is only known between the individual and the FI

• Account transaction details
• Application identification number

The requirements will prohibit FIs from relying on common personal information such as NRIC numbers, residential address and date of birth as the sole means of identity verification.

The Notice reiterates the need for FIs to comply with the “Guidelines on Risk Management Practices – Technology Risk” when information is used to verify the identity of an individual for non-face-to-face contact.  Therefore, information used to verify the identity of an individual should be securely obtained, processed, transmitted and stored to prevent unauthorised access.  FIs are also required to obtain such information through online platforms and shall not ask individuals to disclose their login credentials through phone calls, emails or SMS messages.

FIs must take reasonable care to ensure that third parties they appoint to act on their behalf comply with the requirements of the Notice as if the third parties are FIs.

Key Takeaway

The Notice seeks to address the risks arising from the increasing number of cyber attacks such as data theft, scams and phishing.  FIs should assess whether their identity verification procedures meet the requirements under the Notice and strengthen the level of authentication controls if applicable.

For more information

OrionW regularly advises FinTech clients on payment services regulation and licensing matters.  For more information about the Notice on Identity Verification, or if you have questions about this article, please contact us at info@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.