19 November, 2020
On 10 November 2020, the Monetary Authority of Singapore (“MAS”) today issued a consultation paper inviting public comments on a proposed new Notice on Identity Verification (the “Proposed Notice”). The Proposed Notice is intended to help standardise the type of information that financial institutions should be using to verify the identity of an individual where the individual is being on- boarded without any face-to-face contact. The MAS says that this is being proposed in view of the increasing number of impersonation cases occurring in Singapore, where an individual’s personal particulars are stolen and then misused for unauthorised financial transactions via non-face-to-face channels.
This client update presents an overview of the MAS proposal.
The Objective of the Proposed Notice
The aim of the Proposed Notice is to help establish a uniform set of authentication controls to be implemented by financial institutions, when they verify the identity of an individual in circumstances where they have no face- to-face contact with the individual.
It is envisaged that separate notices (in largely identical terms, but with such customisation as may be required) would be issued to each of the following:
-
Banks
-
Merchant banks
-
Direct insurers (but not marine mutual insurers)
-
Insurance agents (corporate agents only)
-
Registered insurance brokers
-
Credit and charge card issuers
-
Approved holding companies under the Securities and Futures Act, approved exchanges, recognised market operators, licensed trade repositories, approved clearing houses, and recognised clearing houses incorporated in Singapore
-
The Central Depository
-
Capital markets services licensees
-
Registered fund management companies
-
Approved trustees for collective investment schemes
-
Licensed financial advisers
-
Operators of designated payment systems
-
Licensed payment service providers
-
Finance companies
-
Licensed trust companies
-
Licensed credit bureaux
-
Benchmark administrators and benchmark submitters
The identification verification requirement
In each case, the proposed requirement is that when a financial institution is verifying an individual’s identity in a non-face-to-face scenario, the financial institution must use at least one of the following:
(a) Something that only the individual knows, such as a password or personal identification number.
(b) Something that only the individual has, such as cryptographic identification device or token that is issued or registered to the individual, a one-time password sent to the individual’s registered mobile telephone number, or an installed SingPass Mobile application.
(c) Something that uniquely identifies the individual has, based on the individual’s biometrics or behaviour. This could include a voice recording, fingerprint, face identification, iris or retina identification or key stroke dynamics.
(d) In the case of an individual authorised to act on behalf of an entity, some information that is only known as between the individuals authorised to act on behalf of that entity, the entity and the financial institution, or in other cases, some information that is only known as between the individual and the financial institution. This could include information such as account transaction details or application identification numbers.
In a case where the financial institution engages a third party to verify identity, the financial institution has to take reasonable care to ensure that the third party complies with the proposed requirements.
Transitional Period
When implemented, the measures will take effect 6 months after the formal date of issuance of the finalised Notice.
What is the use of conventional personal particulars?
It is also mentioned within the MAS consultation paper that the information used to verify identity exclude personal particulars such as name, national registration identity card number, address, date of birth, contact number or email address. This phrasing is slightly ambiguous. At first glance, the use of the word “excluding” might seem to suggest that MAS is saying that henceforth, the use of such usual identification information will not be allowed.
However, this is probably not the intention. Rather, it seems more likely that what MAS had meant was that the use of conventional personal particulars such as name, identity card number etc would per se insufficient (given that such particulars can be stolen with relative ease), and that the use of one of the stipulated identification measures (being considered to be inherently more secure) is necessary, over and above the use of conventional personal particulars.
Closing Date of Consultation
The consultation closes on 9 December 2020 and a copy of the MAS consultation paper can be obtained from here.