MAS issues circular to FIs on addressing risks that arise from theft and misuse of individual’s personal information
18 April 2023
On 5 April 2023, the Monetary Authority of Singapore (“MAS”) issued a circular to financial institutions (“FIs”) on addressing the risks that arise from the theft and misuse of an individual’s personal information (“Circular”). The Circular articulates the security principles and best practices that should be adopted in FIs’ identity verification processes.
MAS had in November 2020 conducted a public consultation on a proposed MAS Notice which was aimed at mandating the types of information that FIs must use to verify the identity of an individual initiating financial transactions through non-face-to-face communication channels (“proposed Notice”). In its response to the feedback received on the consultation (“Response”), MAS states that it will not issue the proposed Notice.
Details on the Circular and MAS’ response to the feedback received are set out below.
Security principles and best practices
The Circular sets out the security principles that should be adopted by FIs when verifying an individual’s identity:
- Use at least one of the following types of information in the customer authentication process:
- Something that only the individual knows, such as a password or a personal identification number
- Something that only the individual has, such as a cryptographic identification device or token
- Something that uniquely identifies the individual, such as the individual’s biometrics or behaviour
- Information that is only known between the individual and the FI, such as account transaction information or application identification number
- Implement additional authentication for high-risk activities including, but not limited to, the following:
- Changes to sensitive customer data (e.g. customer address, email, phone number)
- Registration of third-party payee
- High value funds transfers
- Revision of funds transfer limits
The Circular states that FIs should assess identity theft and account takeover risks that stem from the use of stolen personal information and implement processes and controls to effectively mitigate these risks.
In relation to online financial services, section 14 of the MAS Technology Risk Management Guidelines expects FIs to implement real-time fraud monitoring systems to identify and block suspicious or fraudulent online transactions. This can include systems to monitor the use of geolocation data, device characteristics, timing of request patterns, browser metadata and systems that detect fraud modus operandi to identify potential fraud. FIs should also review suspicious login attempts and transactions promptly.
The Circular states that FIs are ultimately responsible and accountable for ensuring that an individual is who he or she claims to be before undertaking any transactions for the individual or acting on instructions from the individual. The identity verification measures that FIs adopt should be commensurate with the risks posed by the theft and misuse of personal information.
MAS response to feedback received
MAS considered the feedback received from the public consultation and stated that it will not issue the proposed Notice as it has assessed that there is currently no need to mandate the type of information to verify an individual’s identity. However, given that the fraud landscape and authentication solutions continue to evolve, MAS issued the Circular as FIs need to continuously improve their identity verification processes and controls to address the risk of unauthorised financial transactions.
The proposed Notice was aimed at reducing the risk of unauthorised financial transactions arising from the theft and misuse of an individual’s personal information. Under the proposed Notice, FIs would have been required to use at least one of the following four identity verification methods: (1) something that only the individual knows, (2) something that only the individual has, (3) something that uniquely identifies the individual, or (4) information that is only known between the individual and the FI. FIs would have been prohibited from relying on personal information such as NRIC number, residential address, and date of birth as the sole means to verify an individual’s identity.
As technological solutions for identity verification are still evolving, MAS states that FIs have requested for flexibility to assess different technologies, processes, and controls which may be used to identify an individual over non-face-to-face interactions and to implement those that are most effective in mitigating the identity theft risks unique to their operating environment.
More information on the public consultation is set out in our article titled “MAS seeks comments on requirements to strengthen FI’s non-face-to-face identity verification process”.
The following materials are available on the relevant webpage of the MAS website www.mas.gov.sg: