The proposal would require financial institutions to use certain categories of information for non-face-to-face verification before undertaking transactions or requests.
In November 2020, the Monetary Authority of Singapore (the MAS) published a consultation paper proposing to issue a Notice on Identity Verification (the Notice) that would require financial institutions to obtain specific categories of information to verify an individual’s identity for non-face-to-face financial transactions.
The Notice would apply to a broad range of entities regulated by the MAS, including licensed banks, insurers, registered insurance brokers, capital markets services licensees, registered fund management companies, financial advisers, and licensed payment services providers.
Under the Notice, when verifying the identity of an individual for non-face-to-face financial transactions, financial institutions would be mandated to use at least one of the following types of information:
- Information that only the individual knows (e.g., a password or PIN)
- Information that only the individual has (e.g., password-generating hardware or software tokens issued to the individual, or a one-time password sent to the individual’s mobile number)
- Information that uniquely identifies the individual based on the individual’s biometrics or behaviour (e.g., voice, face, fingerprint recognition or keystrokes dynamics)
- Information that is only known between the individual and the financial institutions (e.g., account transaction information or an application identification number)
The Notice would prohibit financial institutions from relying on personal particulars — such as an individual’s name, national registration identity card number, address, date of birth, contact number, or email address — as the sole means of identity verification. Using these personal particulars is currently not prohibited, though under the MAS Technology Risk Management Guidelines, financial institutions are expected to implement two-factor authentication at login for online financial systems and transaction signing for authorising transactions. The Notice would supplement these existing MAS guidelines regarding the security of online financial services.
If the financial institution appoints a third party to verify the identity of individuals on its behalf, the Notice would require the financial institution to take reasonable care to ensure the third party also complies with the Notice’s requirements.
The deadline for responses to the public consultation is 9 December 2020. The MAS is proposing a six-month transition period from the date of issuance of the Notice for financial institutions to comply with the requirements. Financial institutions that offer services to individuals in Singapore, or have Singapore-based individual customers, should consider whether they will need to amend their current customer verification processes, should the MAS proceed with the changes being consulted on.