The Monetary Authority of Singapore ("MAS") is seeking feedback on proposed requirements to strengthen identity verification for non-face-to-face contact situations ("identity verification requirements") for banks, insurers and other financial institutions (collectively, "FIs"). MAS' proposals are set out in its consultation paper on "Notice on Identity Verification" issued on 10 November 2020 ("Consultation Paper"), available here. Feedback on the Consultation Paper must be submitted to MAS by 11.59 pm, 9 December 2020.
The proposed identity verification requirements are intended to address the risks of theft and misuse of an individual's personal particulars and combat the rise of impersonation scam cases. Details of the proposed identify verification requirements will be set out in a proposed new MAS "Notice on Identity Verification" ("Proposed Notice"), which are intended to strengthen the level of authentication controls to be implemented by FIs.
In brief, MAS proposes to make it compulsory for FIs to augment the types of information they obtain for the purpose of verifying an individual’s identity ("verification information") in non-face-to-face situations. FIs are not permitted to solely rely on information such as NRIC number, residential address and date of birth which are commonly given out by individuals ("common personal information") for identity verification purposes.
This Update provides a summary of the proposed enhanced identity verification requirements.
Proposed Applicability of Enhanced Identity Verification Requirements
MAS seeks views on the imposition of these stricter identity verification requirements on various entities regulated by MAS (each referred to as a "relevant entity"), including:
- any bank in Singapore as defined under the Banking Act ("BA");
- any merchant bank approved under the Monetary Authority of Singapore Act;
- any person licensed under the BA to carry on the business of issuing credit cards or charge cards, or both in Singapore;
- any direct insurer licensed under the Insurance Act;
- any holder of a capital markets services licence under the Securities and Futures Act ("SFA");
- any registered fund management company as defined under the Securities and Futures (Licensing and Conduct of Business) Regulations;
- any trustee for collective investment schemes under the SFA;
- any operator of designated payment systems under the Payment Services Act 2019 ("PSA")
- any payment service provider licensed under PSA; and
- any finance company licensed under the Finance Companies Act.
Please refer to the Consultation Paper for the full list of proposed relevant entities.
Proposed Types of Verification Information to Strengthen Identification Process in Non-Face-to-Face Contact
Under the Proposed Notice, relevant entities must not solely rely on common personal information to verify an individual's identity in non-face-to-face contact situations, such as phone banking or online banking. This is to address risks arising from the theft and misuse of an individual's personal particulars.
Before undertaking any transactions or acting on instructions from the individual in non-face-to-face contact situations, the relevant entity must first verify the identity of an individual (including an individual authorised to act on behalf of an entity). In conducting this identity verification, MAS proposes that a relevant entity must use at least one of the following types of information (excluding common personal information):
- information that only the individual has knowledge of, for instance password or personal identification number;
- information that only the individual possesses, for instance a cryptographic identification device or token;
- unique identificatory information based on the individual’s biometrics or behaviour;
- information (such as account transaction information or application identification number) that is: (a) in the case of an individual authorised to act on behalf of an entity, only known between the individuals authorised to act on behalf of the entity, the entity and the relevant entity; or (b) in other cases, only known between the individual and the relevant entity.
Please refer to Annex B of the Consultation Paper for non-exhaustive examples of information that a relevant entity may use to meet the requirement.
MAS seeks feedback on the proposed types of verification information and recommendations on other effective types of verification information for non-face-to-face contact.
Security Requirements Relating to Verification Information
MAS expects relevant entities to adhere to the "Guidelines on Risk Management Practices – Technology Risk" when they use the verification information for non-face-to-face contact situations. Relevant entities must ensure that verification information is securely obtained, processed, transmitted and stored to prevent unauthorised access. Relevant entities should also not request any individual to disclose their login credentials through phone calls, emails or SMSes.
Proposed Six-Month Transition Period
MAS suggests that the new requirements will take effect six months from date of issuance of the final version of the Proposed Notice. FIs must implement the relevant frameworks, processes and controls to comply with these proposed requirements to strengthen the level of authentication controls. In this regard, MAS seeks feedback on the sufficiency of the transition period.