Tue, Nov 10, 2020 – 11:26 AM
SOON, financial institutions (FIs) may no longer be allowed to rely on common personal information such as NRIC number, residential address and date of birth as the sole means of identity verification.
This comes as the Monetary Authority of Singapore (MAS) on Tuesday issued a consultation paper on the types of information required for non-face-to-face verification of an individual’s identity, amid rising impersonation scam cases.
With the consultation, MAS aims to address the risks arising from theft and misuse of an individual’s personal particulars.
When it comes to phone or online banking, it is proposed that FIs will have to use at least one of the following types of information for non-face-to-face verification before it undertakes any transaction or requests from an individual:
a) information that only the individual knows, such as password or PIN;
b) information that only the individual has, such as one-time password generated by a hardware token issued to the individual or software token activated on the individual’s mobile device;
c) information that uniquely identifies the individual, based on the individual’s biometrics, such as face or fingerprint recognition; and
d) information that is only known between the individual and the financial institutions, such as account transaction information.
On the rationale for this move, Tan Yeow Seng, chief cyber security officer, MAS, pointed out that personal information such as NRIC number and date of birth are often provided by members of the public for various purposes, such as filling in an application form.
“This information, if fallen into the wrong hands, can be used for impersonation fraud,” he said.
Even as many FIs already have in place these identity verification practices, the proposed notice will further bolster consumer confidence in FIs by making these identity verification practices compulsory during non-face-to-face financial transactions, added Mr Tan.
In the same vein, the MAS’s Cyber Security Advisory Panel on Tuesday also urged FIs to review their security controls, given the elevated technology-related risks that come from remote working on the back of the Covid-19 pandemic.
It unveiled several key recommendations on enhancing cybersecurity for FIs at the panel’s fourth annual meeting with MAS management on Nov 5, 2020.
One key recommendation from the panel was the need for FIs to review cyber risk profiles to see if they have changed amid the rapid adoption of remote access technologies and work processes. This is to ensure that appropriate controls are implemented to mitigate any new risks.
With the increased reliance on third-party vendors, the panel also stressed that FIs need to step up their oversight of these counterparts and to monitor and secure remote access by third parties to FIs’ systems.
Another key recommendation was for FIs to strengthen governance over the use of open-source software (OSS). This comes as vulnerabilities in OSS are “typically targeted and exploited by threat actors”, with the panel recommending that FIs establish policies and procedures on the use of OSS to ensure these codes are reviewed and tested before they are deployed.
Ravi Menon, MAS’s managing director, said that Singapore’s financial sector has “done well so far” in its cyber and operational resilience amid the new operating environment created by the pandemic.
“But as the situation prolongs, that resilience will come under greater stress as cyber attackers look for new vulnerabilities,” said Mr Menon, who had chaired the meeting. “Financial institutions must remain alert and nimble and strengthen their defences against emerging cyber threats.”
Need Your Help Today. Your $1 can change life.