| Asia | Articles, Insights
In the face of increasing cyber threats, the MAS have this month issued a consultation paper on identity verification which is likely to have some application across all financial institutions in Singapore.
Events of 2020 have exacerbated the reliance on technology and, with it, the associated security risks. The focus on cybersecurity and technology risk is shared in Singapore by companies and authorities alike. This is driven in particular by recent high profile breaches, for example when personal data (including that of Singapore’s Prime Minister) was stolen and released to the public, and follows other consultations around operational resilience and technology risk.
In early November the MAS issued a consultation paper outlining the types of information it will expect FIs to obtain when verifying an individual’s identity in a non-face-to-face situation. Though the spirit of the consultation paper seems to be aimed generally at FIs providing online or telephone services, there are likely to be touchpoints for institutions across the financial industry.
Who will be subject to the Notice?
Most financial institutions that are licenced or registered with the MAS will be required to adhere to the Notice once it is finalised. This includes banks, insurance agents, payment service providers and brokers, who are likely to interact frequently with customers that are individuals. It will also include fund management companies, corporate financiers and trusts businesses who, more often than not, will undertake transactions for customers far less often.
What are the MAS’ expectations?
The MAS is expecting all FIs when verifying the identity of an individual for non-face-to-face contact to use at least one of the following methods:
- information that only the individual knows, such as a password or PIN
- information that only the individual has, such as a one-time password
- information that uniquely identifies the individual based on the individual’s biometrics, such as facial or fingerprint recognition
- information that is only known between the individual and the FI, such as account transaction information.
In particular the MAS doesn’t want FIs to rely solely on data that is frequently given out by individuals, such as NRIC number, residential address and date of birth.
The MAS confirms that the types of individuals that will be subject to the above checks include ‘natural persons appointed to act on behalf of an entity’. Further, the MAS elaborates that it expects FIs to take reasonable care to ensure that any third party that it appoints to act on its behalf complies with the above practice as if the third party is the FI. With respect to the fund management sector it seems, therefore, that the MAS expects checks to be made by Fund Administrators when processing subscription or redemption instructions. The day-to-day impact of the changes are likely to depend therefore on the extent of Fund Administrators’ current anti-fraud controls.
When will this be effective?
Effective date will be six months from date of issuance of the Notice. The MAS will deliberate upon receiving feedback from the industry as to whether should there be a transition period for FIs to implement the frameworks, processes and controls to comply with the requirements.
How can Bovill help?
We can review your policies and procedures to ensure that you’re meeting the Authority’s current standards with respect to onboarding non-face-to-face customers. We can also work with you and any third parties to whom you delegate relevant activities to ensure that the new requirements are met.
In the meantime, you should direct any feedback on the consultation paper to the MAS by 9th December, using this template.