Banks may soon tighten customer verification process amid rise in scams
The move addresses risks of theft and misuse of an individual's personal particulars; MAS issues consultation paper.
Financial institutions (FIs) are due to go beyond using NRIC numbers and birth dates to verify customers' identity for services such as phone or online banking.
With impersonation scam cases on the rise, the Monetary Authority of Singapore (MAS) has proposed additional forms of information required for non-face-to-face verification of an individual's identity. It issued a consultation paper on this on Tuesday, saying that the move is meant to address the risks of theft and misuse of an individual's personal particulars.
In handling phone or online banking, it has been proposed that FIs use at least one of the following types of information for non-face-to-face verification before processing transactions or requests from individuals:
- Information only the individual knows, such as password or PIN;
- Information only the individual has, such as a one-time password generated by a hardware token, or software token activated on the individual's mobile device;
- Information that uniquely identifies the individual, based on the individual's biometrics, such as face or fingerprint recognition; and
- Information known only between the individual and the FI, such as account transaction information.
On the rationale for this move, Tan Yeow Seng, chief cyber security officer of the MAS, said personal information such as NRIC number and date of birth are often provided by members of the public for various purposes, such as when they fill out application forms.
"This information, if it falls into the wrong hands, can be used for impersonation fraud," he said.
Even as many FIs already have in place these identity-verification practices, the proposed requirements will bolster consumer confidence in FIs, by making these identity-verification practices compulsory during non-face-to-face financial transactions, he added.
In the same vein, the MAS' Cyber Security Advisory Panel on Tuesday also urged FIs to review their security controls, given the elevated technology-related risks that come from remote working on the back of the Covid-19 pandemic.
The panel unveiled several key recommendations on enhancing FIs' cyber security at its fourth annual meeting with the MAS management on Nov 5.
Among them was the need for FIs to review cyber-risk profiles to see whether they have changed amid the rapid adoption of remote-access technologies and work processes. This is to ensure that appropriate controls are implemented to mitigate new risks.
With the increased reliance on third-party vendors, FIs also need to step up their oversight of these counterparts and to monitor and secure remote access by third parties to these FIs' systems, said the panel.
Another key recommendation was for FIs to strengthen governance over the use of open-source software (OSS). This comes as vulnerabilities in OSS are "typically targeted and exploited by threat actors"; the panel recommended that FIs establish policies and procedures on the use of OSS to ensure that these codes are reviewed and tested before they are deployed.
Ravi Menon, MAS' managing director, said that Singapore's financial sector has "done well so far" in its cyber and operational resilience amid the new operating environment created by the pandemic.
"But as the situation prolongs, that resilience will come under greater stress as cyber attackers look for new vulnerabilities," said Mr Menon, who had chaired the meeting. "Financial institutions must remain alert and nimble and strengthen their defences against emerging cyber threats."
Source: Business Times © Singapore Press Holdings Ltd. Permission required for reproduction.