The Monetary Authority of Singapore (MAS) has issued a circular to all financial institutions, directing them to tighten their customer verification processes.
This follows the recent cyber attack at SingHealth where personal information of 1.5 million individuals was illegally accessed and stolen.
For access to online financial services, banks in Singapore are already required to put in place two-factor authentication (e.g. PIN and One-Time-Password) at login to identify their customers. Banks are also required to implement an additional layer of control to authorise high-risk transactions.
Financial institutions also have in place robust measures to verify customer identity. Personal information (name, NRIC number, address, date of birth, etc) is generally not used as the sole means of verification by financial institutions as these are often freely given out by members of the public for various purposes, such as when filling out lucky draw coupons or surveys.
However, to address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions, MAS has directed financial institutions to tighten their customer verification processes. Specifically, with immediate effect, all financial institutions should not rely solely on the types of information stolen (name, NRIC number, address, gender, race, and date of birth) for customer verification. Additional