20 November 2020

On 10 November 2020, the Monetary Authority of Singapore (“MAS”) issued a consultation paper on its proposal to issue a Notice on Identity Verification to strengthen the level of authentication controls to be implemented by financial institutions (“FIs”). This is to address the risks arising from the theft and misuse of an individual’s personal particulars through non-face-to-face channels such as online financial service or phone banking.

FIs will be required to enhance the types of information they obtain for the purpose of verifying an individual’s identity before they undertake any transactions for the individual or act on instructions from the individual. MAS is seeking comments on the types of information required to verify the identity of an individual without face-to-face contact and the FIs that will be subject to the new requirements.

To give FIs adequate time to implement the frameworks, processes and controls to comply with the requirements under the proposed Notice, MAS proposes to implement the requirements six months from the date of issuance of the Notice.

The consultation closes on 9 December 2020.

Set out below is an overview of MAS’ proposals in the consultation paper.

FIs that will have to meet new verification requirements

MAS proposes to impose the new verification requirements on the following entities that are regulated by MAS:

  • a bank incorporated in Singapore, or bank incorporated outside Singapore with branches and offices located within Singapore;
  • a merchant bank approved under the Monetary Authority of Singapore Act;
  • a direct insurer licensed under the Insurance Act, except marine mutual insurers;
  • an insurance agent under the Insurance Act, except for (i) an individual, (ii) a person exempted from holding a financial adviser’s licence under section 23(1)(f) of the Financial Advisers Act (“FAA”), and (iii) a person exempted from the requirement under section 6(1) of the FAA to hold a financial adviser’s licence to act as a financial adviser;
  • a registered insurance broker under the Insurance Act;
  • a person licensed under the Banking Act to carry on the business of issuing credit cards or charge cards, or both in Singapore;
  • an approved holding company, approved exchange, recognised market operator which is incorporated in Singapore, licensed trade repository, approved clearing house, recognised clearing house which is incorporated in Singapore;
  • The Central Depository (Pte) Limited or any other corporation approved by MAS as a depository company or corporation which operates the Central Depository System for the holding and transfer of book-entry securities;
  • a holder of a capital markets services licence under the Securities and Futures Act (“SFA”);
  • a registered fund management company as defined in the Securities and Futures (Licensing and Conduct of Business) Regulations;
  • a person approved under the SFA to act as a trustee for a unit trust;
  • a licensed financial adviser under the FAA;
  • an operator of designated payment systems under the Payment Services Act 2019;
  • a licensed payment service provider under the Payment Services Act 2019;
  • a licensed finance company under the Finance Companies Act;
  • a licensed trust company under the Trust Companies Act;
  • a licensed credit bureau under the Credit Bureau Act 2016; and
  • an authorised benchmark administrator, exempt benchmark administrator, authorised benchmark submitter or designated benchmark submitter under the SFA.

Types of information required for non-face-to-face verification of individual’s identity

Where an FI is verifying the identity of an individual (which includes an individual authorised to act on behalf of an entity) for non-face-to-face contact, the FI must do so using at least one of the types of information set out in the table below. For guidance, MAS has provided the examples in the table that an FI can use to verify the identity of an individual for non-face-to-face contact.

The proposed Notice will prohibit FIs from relying solely on information that is often given out by individuals to verify an individual’s identity, such as NRIC number, residential address and date of birth.

Types of information FIs can use to verify identity of individual for non-face-to-face contact

Examples

Something that only the individual knows, such as password or personal identification number (“PIN”)

·         Username and password

·         Card number and PIN

Something that only the individual has, such as a cryptographic identification device or token

·         Password-generating hardware or software token that is issued to or registered with the individual

·         Smart card that is issued to or registered with the individual

·         One-time password (OTP) sent to the individual’s registered mobile number

·         SingPass Mobile application installed and activated on the individual’s mobile

Something that uniquely identifies the individual, based on the individual’s biometrics or behaviour

·         Voice

·         Fingerprints

·         Face

·         Iris or retina

·         Keystrokes dynamics

Information (such as account transaction information or application identification number) that is:

(i)     in the case of an individual authorised to act on behalf of an entity, only known between the individuals authorised to act on behalf of the entity, the entity and the FI; or

(ii)    in other cases, only known between the individual and the FI

·         Account transaction details

·         Application identification number

(Source: MAS Consultation Paper on Notice on Identity Verification)

The FI must take reasonable care to ensure that any third party that it appoints to act on its behalf complies with the above requirements as if the third party is the FI.

Reference materials

The following materials are available on the MAS website www.mas.gov.sg: